WellPoint Settles with Indiana Over Health Breach

Health insurer WellPoint Inc. has settled a lawsuit that Indiana Attorney General Greg Zoeller filed last October alleging Anthem Blue Cross and Blue Shield in Indiana did not notify 32,051 individuals in the state, or Zoeller, of a large breach of protected information in a timely manner.

The breach followed an upgrade around Oct. 23, 2009, to a Web site used to apply for individual health policies. The breach enabled personal health information submitted by consumers to be viewed on the site, including name, date of birth, address, Social Security number, telephone number, e-mail address, and health and financial information.

Under terms of the settlement, WellPoint admits the breach and its failure to properly notify the Attorney General as required under state law, will pay a $100,000 fine to a state fund that provides restitution to consumers who were defrauded, agrees to comply with the state's breach disclosure law, will provide up to two years of credit monitoring and identity theft protection services to affected individuals in Indiana, and will provide reimbursement of up to $50,000 to individuals for identity theft losses resulting from the breach.

WellPoint, when it notified affected individuals in June and July 2010 offered one year of protection services. While the settlement covers only the 32,051 affected individuals in Indiana, the breach eventually affected about 645,000 individuals across the nation.

WellPoint issued the following statement following the settlement: "Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information. We have implemented I.T. security changes to ensure that this situation will not happen again, and we have received no indication that any information that may have been accessed has been used inappropriately."

The Indiana Attorney General lawsuit alleged that from at least Oct. 23, 2009, until around March 8, 2010, the information from applicants was accessible. The suit further alleged that WellPoint on Feb. 22, 2010, received written notification from a consumer, Sarah Groveunder, of the breach, but did not attempt to contact Groveunder until March 4 and could not reach her at that time. Further, WellPoint did not start to notify affected consumers until June 18 and did not finish notifications until July 30.

On March 8, 2010, WellPoint received a class action complaint, filed on behalf of Groveunder and other affected individuals. The breach was corrected within 12 hours of receipt of the class action suit, WellPoint later acknowledged in a letter to the Indiana Attorney General.

WellPoint in the letter said Groveunder's letter of Feb. 22 "underwent an initial review and was flagged for further consideration. On or about March 3, 2010, the letter was assigned to a customer service representative for handling. On March 4, 2010, a WellPoint customer service representative called Ms. Groveunder to discuss her letter and to request additional information necessary to address her concerns. The customer service representative was unable to reach Ms. Groveunder and left her a voicemail message with his contact information. Ms. Groveunder did not return WellPoint's call."

The Indiana settlement agreement and dismissal order is available here.

This article originally appeared on Health Data Management's web site.

 

For reprint and licensing requests for this article, click here.
Core systems Data security Claims Policy adminstration Security risk
MORE FROM DIGITAL INSURANCE