WellPoint reaches tentative accord in data breach suit
■ It is the second settlement to come from lawsuits claiming that the company failed to protect the privacy of individual insurance applicants online.
- WITH THIS STORY:
- » External links
WellPoint has reached a preliminary settlement that will, if approved, bring an end to a class-action lawsuit filed more than a year ago.
The lawsuit, filed in the Superior Court of the State of California, involves the potential exposure of data belonging to more than 600,000 individual health insurance applicants on a company-run website that allowed insurance applicants to track their applications.
The situation came to light when an applicant to WellPoint-owned Anthem Blue Cross of California sued the company in March 2010. The applicant was able to manipulate the web address within the site to gain access to other applicants' information, including names, addresses, dates of birth, Social Security numbers and health and financial information.
When the suit was filed, the company said an upgrade to the system caused the information to become exposed. The company said a third-party vendor validated that all security measures were in place when, in fact, they were not. Changes were made to the system soon after the situation was discovered.
In addition to the class-action suit, the company was sued by Indiana Attorney General Greg Zoeller in July 2010. The suit, filed in Marion County Civil Superior Court, alleged that the company violated the Indiana Disclosure of Security Breach Act by failing to notify Zoeller, and the 32,051 Indiana residents affected by the incident, in a timely manner. That suit was settled in early July, when WellPoint agreed to pay a $100,000 fine. As part of the settlement, WellPoint admitted it had a security breach and failed to properly notify the attorney general's office as required by law.
Under the preliminary settlement in the California class-action matter, WellPoint agreed to offer credit monitoring for two years to all affected individuals. Class members are eligible to receive reimbursement for identity theft losses of up to $50,000 per incident, as well as additional time to file identity theft claims until May 31, 2016. Those making identity theft claims are eligible for an additional five years of credit monitoring. The company also will donate a total of $250,000 to two nonprofit organizations whose efforts are directed at protecting consumers' privacy on the Internet.
WellPoint did not admit wrongdoing in the case, nor was it found guilty. A fairness hearing is scheduled for November, and the courts then will decide whether to approve the settlement.