Indiana Attorney General Greg Zoeller announced, on 5 July 2011, that health insurer WellPoint Inc. has agreed to pay $100,000 after the company failed to notify customers and the state Attorney General 'without unreasonable delay' of a data breach that occurred between October 2009 and March 2010.
The personal data of 32,000 WellPoint Inc. customers became accessible online after the company failed to implement adequate security protections while upgrading its website for applications, which contained Social Security Numbers (SSNs), health records and financial data of applicants. While the company became aware of the problem on 8 March 2010, it did not notify its customers until 18 June 2010. The state Attorney General only learned of the breach through media reports.
''By settling with WellPoint Inc., the Attorney General of Indiana joins the Attorneys General of Connecticut and Vermont in recovering a substantial sum for the state'', Michael J. Kline, Attorney with Fox Rothschild LLP, told DataGuidance. ''[U]nlike Connecticut and Vermont, the Attorney General of Indiana however proceeded solely under a state law enacted by Indiana in 2009. With this variety of successes, it is likely that more Attorneys General will become aggressive in this area in the future.''
As part of the settlement, WellPoint Inc. agreed to provide up to two years of credit monitoring and identity theft protection services to customers affected by the breach, and reimbursement payments of up to $50,000 for any losses resulting from identity theft.