Indiana AG sues WellPoint over data breach

by Steve Ragan - Nov 4 2010, 11:46

The Indiana Attorney General has filed a lawsuit against Indianapolis-based WellPoint, for waiting to disclose a data breach the company had suffered. The state is seeking $300,000 USD in civil penalties. However, the severity and the cause of the breach itself is where the story gets interesting.

The WellPoint story initially came to our attention because of the security implications and the fact that we live in Indianapolis. We learned that WellPoint was issuing notifications to some 470,000 customers, including 32,000 Indiana residents and 230,000 Anthem customers in California, due to unauthorized access to systems that may have exposed personal information.

In June, The Tech Herald reported that WellPoint was placing the blame for the data breach on a faulty security update to a system used by customers to track the status of their individual insurance applications. They also blamed attorneys involved in a class action suit.

“After the upgrade was completed, a third-party vendor validated that all security measures were in place, when in fact they were not,” WellPoint said in a statement to The Tech Herald at the time.

The failed security update was performed in October 2009. Shortly after, one customer in California discovered she had access to her data, as well as data for other applicants by altering the URL. The data included medical histories, payment information, and other personal information. WellPoint learned of the vulnerable application in March 2010 they said, after being subpoenaed in a lawsuit related to the data leak.

While fixing the broken application, WellPoint’s internal investigations show there was access, however, it came from the attorneys in the class action.

“The vast majority of such manipulation and the resulting unauthorized access occurred at the hands of certain attorneys (representing an applicant),” noted WellPoint's statement.

“We believe that this manipulation was conducted to support a class action against Anthem Blue Cross and/or its parent company - over the very breach being committed.”

Indiana’s Attorney General takes issue with the fact that WellPoint waited until June to issue notifications. Indiana law, via the House Enrolled Act 1121, says that a business operating in the state must notify both the impacted individuals and the Attorney General’s office of a data breach without “unreasonable delay”

According to the complaint, WellPoint was notified on February 22, 2010 and again on March 8, 2010 that application records containing personal information were accessible through its public website.

“The delays in notice both to customers and to the Attorney General's office are considered unreasonable. The state is seeking $300,000 in civil penalties,” a statement from Attorney General Greg Zoeller’s office said.

“The Attorney General's Identity Theft Unit continues to investigate the WellPoint data breach and encourages those who may have been affected to perform a credit check and a security freeze to guard against identity theft. By law, security freezes are available for free to residents of Indiana.”

In June, WellPoint told us they were looking into legal options “with respect to the data, the impact - if any - on our members, and the remediation costs incurred as a result of these actions.”

It’s unclear if the lawsuit in Indiana will alter their plans. Even if lawyers did cause the breach and there was no criminal access to the systems, they’ll still have to justify the delay in notification and taking more than 100 days to address the problem.

In a statement to local news agency WRTV on Friday, WellPoint noted that they were “committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations.”

“As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again.”

Around the Web