WellPoint also agreed to provide up to two years of credit monitoring and identity theft protection to the customers who had their social security numbers, health records, and financial information data exposed online. The company also agreed to cover up to $50,000 each for any data breach-related losses.
Indiana Attorney General Greg Zoeller said that a customer had informed WellPoint on Feb. 22, 2010, that records containing personal information were publicly accessible on the web. The records were on an unsecured website from Oct. 23, 2009, to March 8, 2010, at which point the company secured the site. However, the company did not begin notifying customers until June 18, 2010, and did not notify the Attorney General’s office, which found about it in the newspaper.
A 2009 state data-breach notification law requires companies to notify consumers and the Attorney General’s office “without reasonable delay” about a possible data breach. "The requirement to notify the Attorney General 'without unreasonable delay' is not fulfilled by having me read about the breach in the newspaper," Zoeller commented.
"This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the Attorney General's office and consumers promptly. Early warning helps minimize the risk that consumers will fall victim to identity theft", Zoeller concluded.