For immediate release: Oct 29, 2010
Posted by: [Attorney General]
Contact: Molly Butters
Phone: 317-232-0168

WellPoint's notification delay following data breach brings action by Attorney General's office

The Indiana Attorney General's office today filed a lawsuit against Indianapolis-based WellPoint, Inc. claiming the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers. Indiana law requires businesses to notify both the individuals potentially affected by a data breach, as well as the Attorney General's office without unreasonable delay. This notification requirement was supported by Attorney General Greg Zoeller and included in House Enrolled Act 1121, which took effect in July 2009.

Applications for insurance policies submitted to WellPoint containing social security numbers, financial information and health records were potentially available to the general public through an unsecured Internet web-site for a period of at least 137 days between October 2009 and March 2010. According to the state's complaint, WellPoint was notified on February 22, 2010 and again on March 8, 2010 that application records containing personal information were accessible through its public website.

WellPoint did not begin notifying customers of the security breach until June 18, 2010. Following news reports of the breach, the Attorney General's office submitted an inquiry to WellPoint and received a response on July 30, 2010. The delays in notice both to customers and to the Attorney General's office are considered unreasonable. The state is seeking $300,000 in civil penalties.

While most inadvertent security breaches do not result in fraud, notifying those affected in a timely manner significantly reduces the risk of identity theft. Situations involving the theft of personal information for the purposes of identity theft most often result in some form of fraud occurring within seven to 10 days. The Attorney General's office has not received any consumer complaints relating to identity theft as a result of the WellPoint data breach.

The Attorney General's Identity Theft Unit continues to investigate the WellPoint data breach and encourages those who may have been affected to perform a credit check and a security freeze to guard against identity theft. By law, security freezes are available for free to residents of Indiana. More information and instructions are available on the Attorney General's website here:

« Back to News Release List

Link to this event:

WellPoint's notification delay following data breach brings action by Attorney General's office Oct 29, 2010 content_id:CA49E8A6025D4DD7A3E2F6E6577E5B13; type:press; agency:Attorney General; showOnHomepage:Yes; sortDate:Oct 29, 2010; filterDate:201010; isBanner:yes; agencyDivision:Attorney General;10 - October;2010;Press Release;Banner