WellPoint, a national health benefits company, reached a settlement with the Indiana Attorney General’s office in a lawsuit over a data breach that includes a $100,000 payment to the state.
Over a roughly five month period between 2009 and 2010, WellPoint allowed individual insurance policy applicants’ personal information – including social security numbers and financial and health records – to be accessible on an unsecured website. After receiving consumer complaints about the issue, WellPoint secured the site, but did not inform state authorities of the potential breach, a violation of Indiana law.
The state later filed suit against the company and Monday announced a settlement. Attorney General Greg Zoeller says the situation should be a teaching moment for all companies.
“If they suffer a data breach and private information is inadvertently released,” he said, “they must notify the Attorney General’s office and consumers promptly.”
The $100,000 will be used by the state to help those who suffered fraud. The settlement also includes up to two years of credit monitoring and identify theft protection for consumers affected by the breach, as well as up to $50,000 in reimbursement to any customers defrauded as a result, all provided by WellPoint. The data of about 32,000 Hoosiers was exposed, but only one consumer has reported potential identity theft so far.