Cyber Incident Victim: Wellpoint Washington Inc.
Date:
Jun 2025
Location:
United States of America
Summary
Wellpoint Washington Inc. and Independent Clinics of Washington were accused of failing to adequately protect patient information from a cyberattack, and of delaying notification to affected individuals for an extended period, which allegedly increased the risk of fraud and identity theft. The alleged shortcomings prompted a proposed nationwide class action seeking damages for negligence and calling for improved data security practices across the organization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2025, Wellpoint Washington Inc. and its health services partner Independent Clinics of Washington experienced a cyberattack that compromised patient information held by the organizations. The breach involved sensitive data that subscribers had entrusted to the insurer and its provider network. Wellpoint did not notify affected individuals of the incident until nearly a year after the attack, with the delay extending into mid‑2026. On June 12, 2026, a Washington resident filed a proposed nationwide class action lawsuit alleging that Wellpoint failed to adequately protect the patient information and that the delayed notification heightened the risk of fraud.
The plaintiff contends that the postponement of notice left subscribers unaware of the breach for an extended period, thereby increasing their vulnerability to identity theft and financial fraud. The lawsuit highlights broader concerns about data security in the healthcare sector, where personal health information is a frequent target of cybercriminals. Wellpoint, which operates as a subsidiary of Elevance Health Inc., faces potential liability for both the initial breach and its handling of the aftermath. The proposed class action seeks monetary damages for the alleged negligence and requests that the company implement stronger data protection measures to prevent future incidents.
In addition to seeking compensation, the lawsuit asks the court to order Wellpoint to improve its safeguards for subscriber data as part of the relief requested. The case is presented as part of a growing trend of class actions directed at organizations that either fail to secure sensitive information or delay disclosure of breaches. No further technical details about the attack vector, the specific systems affected, or the exact number of individuals impacted are provided in the source material.