14 DAY TRIAL // The State of Indiana is suing WellPoint, one of the largest health insurance providers in the United States, for failing to notify customers affected by a data breach in a timely manner.
WRTV Indianapolis' Channel 6 reports that the lawsuit was filed on Friday in Marion County by the attorney's general office and seeks $300,000 from the company.
According to the complaint, WellPoint waited several months before beginning to notify customers whose personal, medical and financial information was exposed during a data breach incident.
The attorney's general office claims that WellPoint learned of the problem on February 22 this year, but only began sending notification letters in June.
Information available when we originally wrote about the incident, suggested that 230,000 people were affected, but Channel 6 now claims as much as 470,000 victims.
In addition, it was previously believed that names, phone numbers, addresses and Social Security Numbers (SSNs) were breached, but according to the new report, credit card details might also have been exposed.
"Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations," a WellPoint spokesman said.
"As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again," he added.
The company previously explained that the breach was the result of a faulty website upgrade, which occurred in October 2009, but claimed that the security hole was available for "a relatively short period."
New information suggests that the website was vulnerable for at least 137 days between October and March, which puts a new perspective on what "relatively short period" means for WellPoint.
According to the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA), "individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach."