The state insurance commissioner’s office is investigating why it took three months for an insurance company to notify potential victims of a security breach.

Blue Cross Blue Shield of Georgia has known since March that customers’ personal information had been accessible on-line over the previous five months.

But it’s taken until this week for the state’s largest health insurance provider to notify 70,000 potential victims.

The company only discovered the breach because a lawyer filed a class-action lawsuit.

Blue Cross Blue Shield of Georgia says it waited to warn customers because it isn’t sure how many – if any – are affected.

State insurance officials say they will take punitive action if their investigation reveals the company waited too long to warn policy holders.

Tags: identity theft, blue cross blue shield of Georgia, security breach, class action lawsuit