Connecticut sues Health Net over data security breach

The insurer becomes the first plan sued under a new law allowing attorneys general to enforce HIPAA privacy laws.

By Emily Berry — Posted Feb. 1, 2010

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Connecticut Attorney General Richard Blumenthal has filed a lawsuit against California-based Health Net, alleging the company violated federal laws protecting medical records when a portable data drive disappeared.

According to Blumenthal's office, the Jan. 13 lawsuit is the first action by an attorney general acting under the Health Information Technology for Economic and Clinical Health, or HITECH Act (part of the 2009 federal stimulus package) to enforce privacy laws under the Health Insurance Portability and Accountability Act.

"Sadly, this lawsuit is historic -- involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said in a statement.

The lawsuit says the drive contained 27.7 million pages of scanned documents containing information about 446,000 enrollees and their physicians. The data was not encrypted, the lawsuit said, as required by HIPAA and by Health Net's own corporate policy.

UnitedHealth Group, which late last year won approval from state insurance commissioners to take control of Health Net's business in Connecticut, New Jersey and New York, is also named as a defendant in the case.

Connecticut State Medical Society Executive Vice President Matthew Katz praised the attorney general's action.

"It is such an important issue, because it deals with personal information not only for patients but physician data that was taken," he said.

Katz said he hoped the attorney general's action would force Health Net not only to respond correctly to the breach, but also to adopt new policies to protect sensitive information in the future.

According to Health Net, the lost drive contained medical records dating to 2002 and included information about both members and network physicians in New York, New Jersey and Connecticut.

Health Net claimed the data would have been nearly impossible to decipher without special software owned by Health Net.

In December 2009, citing a report by security firm Kroll prepared for Health Net, Blumenthal publicly disputed Health Net's characterization. Kroll had noted in its report that the data on the drive would be readable using commonly available software, Blumenthal said. He asked federal authorities to investigate.

A week before filing the lawsuit, Blumenthal announced his candidacy for the U.S. Senate seat held by retiring Sen. Christopher Dodd (D, Conn.).

Both the medical society and attorney general have been especially critical of the time it took Health Net to notify anyone of the breach -- the drive disappeared in May 2009, and Health Net did not notify insurance commissioners in four affected states until November 2009. Health Net has said it needed to wait for security consultants to establish exactly what was missing before it reported anything to authorities or to its members.

Health Net said it was reviewing Blumenthal's lawsuit and added, "To date, Health Net has no evidence that there has been any misuse of the data."

Affected physicians and members can contact Health Net to sign up for two years of credit monitoring and credit repair services at no charge. Health Net also offered $1 million of identity theft insurance coverage to affected parties.

Data breaches at other plans

Health Net is not alone in facing fallout from recent data security breaches. In January, Kaiser Permanente announced it had sent letters of apology to 15,500 members in Northern California after an employee's laptop containing sensitive information was stolen from her home.

Meanwhile, BlueCross BlueShield of Tennessee in January released details about what kind of information was stored in hard drives stolen from a former call center facility in October 2009.

The drives contained hundreds of thousands of video and audio recordings of customer service calls. The company announced that as many as 500,000 members' information was contained on the drives, and it offered to pay for credit monitoring services at one of three levels, depending on how much of their personal information was compromised.

Company spokeswoman Mary Thompson said those analyzing the data are still trying to identify what kind of information about physicians would have been in the files and how many might be affected.

Back to top


Post-breach action plan

The AMA advocates that once a data breach is discovered, health insurers should:

  • Immediately notify physicians of the breach.
  • Offer free credit monitoring and adequate identity theft insurance, from more than one company, for at least 5 years.
  • Publicly report confirmed cases of identity theft related to the data breach.
  • Provide legal protection and indemnification for any losses that result because of the breach.
  • Store personal information of physicians and other health care professionals electronically in encrypted form to reduce the likelihood of a future breach or loss of data.

Source: AMA Practice Management Center (link)

Back to top

When plans lose data

Recent data security breaches reported by health plans have left physicians and patients vulnerable to identity theft. Thus far, none of these recent cases has resulted in a report of misuse of identifying information. Among them:

BlueCross BlueShield Assn.: In October 2009, the association disclosed that an employee's laptop containing identifying information about as many as 850,000 physicians had been stolen from the employee's car several weeks earlier. The association offered some affected physicians free credit monitoring.

Health Net: In November 2009, Health Net announced that a portable data drive had "gone missing" from a Connecticut office six months earlier, compromising information for as many as 446,000 current and former members and an unknown number of network physicians in Connecticut, New Jersey and New York.

BlueCross BlueShield of Tennessee: The Blues plan disclosed last year that two hard drives had been stolen from a leased building that had previously been used as a call center. The drives contained audio and video recordings of customer service calls that captured identifying data and medical information for as many as 500,000 members. The company offered three levels of credit monitoring to affected members, depending on what kind of information about them was contained on the drives. (See correction)

Kaiser Permanente: Kaiser announced in January that identifying information for 15,500 patients in Northern California was compromised when a Kaiser employee's laptop was stolen from her car in December 2009. The employee was fired. Kaiser notified authorities and apologized for the incident, but it did not offer credit monitoring services to those affected.

Source: Company news releases

Back to top


This article incorrectly reported the number of hard drives stolen from a building leased by BlueCross BlueShield of Tennessee in October 2009. The correct number was 57. American Medical News regrets the error.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn