The Associated Press reports that WellPoint will pay a fine for its delay in informing consumers of a security breach that may have affected the privacy of their medical data:
Health insurer WellPoint Inc. will pay $100,000 and take other steps after admitting it waited months to notify 32,000 Indiana customers that their Social Security numbers, health records and other personal information might have been exposed online, Indiana Attorney General Greg Zoeller said Tuesday.
The Indianapolis-based parent of Anthem Blue Cross and Blue Shield also agreed to provide up to two years of credit monitoring and identity-theft protection to 32,000 affected Indiana consumers and reimburse them up to $50,000 each for any breach-related losses under the agreement filed last week in Marion Superior Court in Indianapolis, Zoeller said.
Zoeller said a consumer notified WellPoint on Feb. 22 and March 8, 2010, that records containing personal information were potentially accessible. WellPoint immediately secured the site then, but didn’t notify customers for three months, violating an Indiana law that requires companies that experience data breaches to notify both their consumers and the attorney general “without unreasonable delay.” […]
The company issued a statement Tuesday saying it has implemented security changes to prevent further breaches from occurring.
“We have received no indication that any information that may have been accessed has been used inappropriately,” the statement said.