WellPoint (NYSE: WLP) will pay a $100,000 fine because it waited months before notifying Indiana officials of a security breach that may have exposed personal information of 32,000 members. It also will reimburse each affected member up to $50,000 for any breach-related losses as part of the settlement reached with the Indiana Attorney General.
After a consumer notified WellPoint that members' Social Security numbers, financial information, and health records were potentially accessible online, it immediately secured the site, according to Legal Newsline. However, the insurer waited three months to notify the affected consumers. And despite being required by Indiana state law to also simultaneously notify the attorney general's office of a data breach, WellPoint never contacted the attorney general.
Instead, news of the data breach prompted the attorney general to contact WellPoint and launch an inquiry, the Northwest Indiana Times reports. Attorney General Greg Zoeller ultimately filed a lawsuit against WellPoint under a state data breach notification law passed in 2009.
"This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the attorney general's office and consumers promptly," Zoeller said. "Early warning helps minimize the risk that consumers will fall victim to identity theft."
In response to the settlement, WellPoint spokeswoman Gene Rodriguez said "We have implemented IT security changes to ensure that this situation will not happen again, and we have received no indication that any information that may have been accessed has been used inappropriately."