(This post is updated to include links to the Indiana Attorney General's press release and a copy of the complaint)
Back on July 1, we blogged in this space about a very large data breach experienced by health insurer WellPoint. According to WellPoint, over 470,000 individual insurance customers may have been affected by a breach that went unreported for over five months. Now, the Indiana Attorney General's office has made it clear that the silence from WellPoint was unacceptable.
Friday, the Indiana Attorney General's office filed suit in Marion County accusing WellPoint of violating Indiana's state data breach notification law that, as most of these types of laws do, requires businesses to provide notice of data breaches "without unreasonable delay." Business Week reports that state officials in Indiana say that the personal records (including health records and credit card information) were exposed for at least 137 days between last October and March. The suit says WellPoint learned of the problem in late February, but did not start notifying customers until June.
The Connecticut AG's office announced in July that it would also investigate WellPoint for this breach, and the delay in reporting.
Since the compromised information spans WellPoint customers in many states (California among them), we may hear of similar actions by state Attorneys General under their own state data breach notification laws requiring prompt notice.