Indiana AG Sues WellPoint for Breach

Indiana Attorney General Gregory Zoeller has filed a lawsuit against health insurer WellPoint Inc., alleging the company did not notify 32,051 affected consumers in the state of a breach of their protected health information in a timely manner.

While the HITECH Act gave state attorneys general authority to enforce HIPAA privacy, security and breach notification rules, the Indiana action is being taken under authority of a state law requiring disclosure of data breaches "without unreasonable delay."

WellPoint has previously acknowledged that a Web site used to apply for individual health policies was breached following an upgrade in October 2009 and that the company learned of the breach in March. The breach enabled personal health information submitted by consumers to be viewed on the site. Protected information included name, date of birth, address, Social Security number, telephone number, e-mail address, and health and financial information.

The Indiana lawsuit alleges that from at least Oct. 23, 2009, until around March 8, 2010, the information from applicants was accessible. The suit further alleges that WellPoint on Feb. 22, 2010, received written notification from a consumer, Sarah Groveunder, of the breach, but did not attempt to contact Groveunder until March 4 and could not reach her at that time. Further, WellPoint did not start to notify affected consumers until June 18 and did not finish notifications until July 30.

On March 8, 2010, WellPoint received a class action complaint, filed on behalf of Groveunder and other affected individuals. The breach was corrected within 12 hours of receipt of the class action suit, WellPoint later acknowledged in a letter to the Attorney General.

WellPoint in the letter to the Attorney General said Groveunder's letter of Feb. 22 "underwent an initial review and was flagged for further consideration. On or about March 3, 2010, the letter was assigned to a customer service representative for handling. On March 4, 2010, a WellPoint customer service representative called Ms. Groveunder to discuss her letter and to request additional information necessary to address her concerns. The customer service representative was unable to reach Ms. Groveunder and left her a voicemail message with his contact information. Ms. Groveunder did not return WellPoint's call."

Following the filing of the state's lawsuit, Anthem Blue Cross and Blue Shield, which is WellPoint's subsidiary serving Indiana, issued the following statement:

"Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again.

"We have worked since discovery of this matter to analyze the data in an effort to identify all individuals whose information may have been impacted.  We made an effort to communicate directly to each of the applicants who were potentially affected.  This communication occurred when our extensive analysis was complete.

"In fact, though the majority of individuals who submitted applications were not impacted by the incident, out of an abundance of caution, each applicant received a detailed notification from Anthem Blue Cross and Blue Shield explaining what happened, and was offered identity protection services for one year at no cost."

Anthem did not respond to requested follow-up comment on the Attorney General's contention that the company did not take timely remediation action following Groveunder's initial notification of a breach in February 2010.

The state in its lawsuit is requesting civil penalties totaling $300,000 be levied against WellPoint. For copies of the eight-page Indiana Attorney General lawsuit, and WellPoint's 62-page response last July 30 to a previous request for information from the state, email


For reprint and licensing requests for this article, click here.