WellPoint Settles Over Data Breach
Indiana to Receive $100,000 for RestitutionWellPoint will pay the state $100,000 for an incident that allowed personal information of thousands of customers to be potentially accessible over the Internet, according to a press release posted by the attorney general. The exposed data included social security numbers, financial information and health records.
"This case should be a teaching moment for all companies that handle consumers' personal data," Attorney General Greg Zoeller said in a statement. "If you suffer a data breach and private information is inadvertently posted online, then you must notify the attorney general's office and consumers promptly. Early warning helps minimize the risk that consumers will fall victim to identity theft."
As a result of the suit, WellPoint has agreed to:
- Pay a settlement of $100,000 to the State that the Attorney General's Office can use in the Consumer Assistance Fund, which provides restitution to certain consumers who were defrauded and provided assistance in investigations of the fraud;
- Comply with the Indiana Code 24-4.9, the Disclosure of Security Breach Act;
- Admit to the security breach and subsequent failure to properly notify the Attorney General's Office, as required by law;
- Provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach; and
- Provide reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the breach.
The health insurer began notifying consumers about the breach, which took place between Oct. 23, 2009 and March 8, 2010, on June 18, 2010. The exposed records were available for approximately 137 days through an online application tracker website operated by companies owned by or affiliated with WellPoint.
WellPoint was notified on Feb. 22 and again March 8, 2010 about the breach. Within 12 hours of confirming the problem, WellPoint had fixed it.
Also on March 8, WellPoint was notified that an insurance applicant had filed a class action suit claiming her applicant information, and that of others, was readily accessible to site visitors.
Aside from notifying customers, a requirement under recent state law says that organizations must notify the attorney general's office "without unreasonable delay," which WellPoint neglected to do. The breach was not discovered by the attorney general's office until news reports came out, after which time the office contacted WellPoint and started an inquiry into what happened.
"The requirement to notify the Attorney General 'without unreasonable delay' is not fulfilled by having me read about the breach in the newspaper," Attorney General Greg Zoeller said.
On Oct. 29, 2010, the attorney general sued WellPoint, alleging the firm took too long to notify residents affected by a health information breach. The case sought an injunction and civil penalties. [See: AG Sues WellPoint Over Breach]
Reacting to the lawsuit, WellPoint Inc. said in an Oct. 29 statement: "As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again. We have worked since discovery of this matter to analyze the data in an effort to identify all individuals whose information may have been impacted. We made an effort to communicate directly to each of the applicants who were potentially affected."
Under the HITECH Act, state attorneys general can file civil cases in federal court for violations of the Act related to breach incidents, but that wasn't done in the Indiana case, which focuses only on violation of state law.
Ultimately, around 645,000 consumers nationwide were eventually notified about the breach, according to the press release.
How the Breach Occurred
When customers apply for WellPoint's individual coverage, they receive a URL for an application tracker program where they can get updates on the status of their application. According to Roy Mellinger, WellPoint's vice president of information technology security and chief information security officer, during an upgrade of the system, security was not functioning properly."After the upgrade was completed, a third-party vendor validated that all security measures were in place when, in fact, they were not," according to a statement from the insurer.
The problems with security allowed for access to private information on the site by back-spacing out of the URLs sent to the customers.