AG Sues WellPoint Over Breach

Civil Suit Alleges Delay in Notification
AG Sues WellPoint Over Breach
Indiana Attorney General Greg Zoeller has sued health insurer WellPoint Inc., alleging the firm took too long to notify Indiana residents affected by a health information breach.

The attorney general alleges that about 32,000 people were not notified of the breach in a timely manner as required under state law. Indiana law requires businesses to notify both the individuals potentially affected by a data breach, as well at the attorney general, "without reasonable delay."

Zoeller is seeking $300,000 in civil penalties.

State, Not Federal Case

Under the HITECH Act, state attorneys' general can file civil cases in federal court for violations of the Act related to breach incidents, but that was not been done in the Indiana case, which focuses only on violation of state law.

"While the option to file under HITECH/HIPPA in federal court was considered, Indiana's notification laws and enforcement options allow greater remedies," a spokesman for the attorney general said. "Under HITECH/HIPPA, the possible penalties maximum would have been $25,000 vs. $300,000 under Indiana law."

The Connecticut attorney general's office recently settled its federal civil lawsuit against Health Net that alleged the insurer delayed notifying those affected by a breach. Health Net agreed to pay $250,000 in damages and offer stronger consumer protections.

The Connecticut case is the only federal suit filed by a state attorney general so far under the HITECH Act.

Breach Incident Details

Applications for insurance policies submitted to WellPoint Inc., which contained Social Security numbers as well as financial and health information, were potentially available to the general public through an unsecure website for at least 137 days between October 2009 and March 2010, according to a statement from the attorney general.

WellPoint was notified on Feb. 22 and again March 8 that the information was available on the site, but it did not begin notifying customers of the breach until June 18, the attorney general says. Following news reports of the breach in June, the attorney general's office submitted an inquiry to WellPoint and received a response on July 30. The attorney general is calling the delays in notice to customers and its office "unreasonable."

The office confirms, however, that it has not received any consumer complaints relating to identity theft as a result of the breach. But it's continuing an investigation of the incident.

WellPoint Description of Breach

In announcing the incident to the media in June, Roy Mellinger, WellPoint's vice president of information technology security and chief information security officer, said that on March 8 the company was notified that an insurance applicant had filed a class action suit claiming her applicant information, and that of others, was readily accessible to site visitors. The incident was the result of a temporary glitch during an upgrade to a system that WellPoint offers enrollees to track the status of their applications, and the glitch was fixed within 12 hours of confirming the problem, Mellinger told HealthcareInfoSecurity in June.

WellPoint then, in consultation with the Department of Health and Human Services' Office for Civil Rights, decided "out of an abundance of caution" to notify all of the approximately 480,000 applicants in its database about the breach and offer them a year's worth of free credit and identity protection services, a company spokesman re-confirmed on Aug. 23.

Later, after the notifications were sent out, WellPoint reviewed information that had been placed in escrow by the court and was able to pinpoint that only about 32,000 individuals had their information placed at risk as a result of the website glitch, the spokesman said.

The HHS Office for Civil Rights acknowledged in August that WellPoint submitted an addendum to its original breach notification "which modified the number of individuals impacted by the breach." But the office would not offer further comment on why it lowered the total of those affected by the WellPoint incident on its list of major health information breaches to 32,000 from the original 480,000.

Under the HITECH Act's breach notification rule, breaches affecting 500 or more individuals must be reported to the HHS Office for Civil Rights and the news media, as well as the individuals affected, within 60 days.

WellPoint Reaction

Reacting to the lawsuit, WellPoint Inc. said in an Oct. 29 statement: "As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again. We have worked since discovery of this matter to analyze the data in an effort to identify all individuals whose information may have been impacted. We made an effort to communicate directly to each of the applicants who were potentially affected. This communication occurred when our extensive analysis was complete.

"In fact, though the majority of individuals who submitted applications were not impacted by the incident, out of an abundance of caution, each applicant received a detailed notification from Anthem Blue Cross and Blue Shield (a WellPoint unit) explaining what happened, and was offered identity protection services for one year at no cost."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.