Last Friday, the Indiana Attorney General’s office announced that it filed suit against WellPoint, Inc. for failure to comply with Indiana’s notice of breach law. The suit alleges that WellPoint did not notify 32,000 affected customers or the Attorney General’s office in a timely manner. Indiana’s law requires that breached entities provide notice to affected individuals and the Attorney General’s office without unreasonable delay. Ind. Code § 24-4.9.
The Attorney General alleges that between October 2009 and March 2010, WellPoint used an unsecured website in order to accept applications for insurance. These applications asked for individuals’ social security numbers, financial information and health records. Because the website was not secure, this information was available to the public online.
The complaint also states that WellPoint was notified on February 22, 2010 and March 8, 2010 that these applications and personal information were viewable on its website. However, WellPoint did not start notification of affected individuals until June 18, 2010. The Attorney General is seeking $300,000 in civil penalties.