On Tuesday, the State of Indiana Attorney General Office announced an agreement with WellPoint regarding the health care insurer's data breach in 2010. WellPoint will pay the State $100,000 for the breach which exposed the sensitive personal information of 32,051 Indiana residents. The settlement resolved a lawsuit that Indiana Attorney General Greg Zoeller's office filed under a new data-breach notification law passed in 2009.
A faulty website security update exposed the personal, financial, and medical information of about 470,000 consumers nationwide, including about 5,600 in Connecticut and 230,000 in California. The breach victims included patients who used the company's website to apply for individual health insurance through WellPoint subsidiaries (Anthem Blue Cross or Anthem Blue Cross and Blue Shield) in 10 states.
The data breach exposed consumer information from October 23, 2009, to March 8, 2010. A consumer alerted WellP:oint on February 22, 2010, and again on March 8, 2010, that records containing personal information were potentially accessible. Affected consumers were notified about the breach starting June 18, 2010. Indiana Attorney General Greg Zoller said:
"This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the Attorney General's Office and consumers promptly. Early warning helps minimize the risk that consumers will fall victim to identity theft."
I agree. Breach detection, early notification of consumers, and prompt action are essential. I only wish the settlement amount was larger.