business
Connecticut sues Health Net over data security breach
■ The insurer becomes the first plan sued under a new law allowing attorneys general to enforce HIPAA privacy laws.
By Emily Berry — Posted Feb. 1, 2010
- WITH THIS STORY:
- » Post-breach action plan
- » When plans lose data
- » Correction
- » Related content
Connecticut Attorney General Richard Blumenthal has filed a lawsuit against California-based Health Net, alleging the company violated federal laws protecting medical records when a portable data drive disappeared.
According to Blumenthal's office, the Jan. 13 lawsuit is the first action by an attorney general acting under the Health Information Technology for Economic and Clinical Health, or HITECH Act (part of the 2009 federal stimulus package) to enforce privacy laws under the Health Insurance Portability and Accountability Act.
"Sadly, this lawsuit is historic -- involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said in a statement.
The lawsuit says the drive contained 27.7 million pages of scanned documents containing information about 446,000 enrollees and their physicians. The data was not encrypted, the lawsuit said, as required by HIPAA and by Health Net's own corporate policy.
UnitedHealth Group, which late last year won approval from state insurance commissioners to take control of Health Net's business in Connecticut, New Jersey and New York, is also named as a defendant in the case.
Connecticut State Medical Society Executive Vice President Matthew Katz praised the attorney general's action.
"It is such an important issue, because it deals with personal information not only for patients but physician data that was taken," he said.
Katz said he hoped the attorney general's action would force Health Net not only to respond correctly to the breach, but also to adopt new policies to protect sensitive information in the future.
According to Health Net, the lost drive contained medical records dating to 2002 and included information about both members and network physicians in New York, New Jersey and Connecticut.
Health Net claimed the data would have been nearly impossible to decipher without special software owned by Health Net.
In December 2009, citing a report by security firm Kroll prepared for Health Net, Blumenthal publicly disputed Health Net's characterization. Kroll had noted in its report that the data on the drive would be readable using commonly available software, Blumenthal said. He asked federal authorities to investigate.
A week before filing the lawsuit, Blumenthal announced his candidacy for the U.S. Senate seat held by retiring Sen. Christopher Dodd (D, Conn.).
Both the medical society and attorney general have been especially critical of the time it took Health Net to notify anyone of the breach -- the drive disappeared in May 2009, and Health Net did not notify insurance commissioners in four affected states until November 2009. Health Net has said it needed to wait for security consultants to establish exactly what was missing before it reported anything to authorities or to its members.
Health Net said it was reviewing Blumenthal's lawsuit and added, "To date, Health Net has no evidence that there has been any misuse of the data."
Affected physicians and members can contact Health Net to sign up for two years of credit monitoring and credit repair services at no charge. Health Net also offered $1 million of identity theft insurance coverage to affected parties.
Data breaches at other plans
Health Net is not alone in facing fallout from recent data security breaches. In January, Kaiser Permanente announced it had sent letters of apology to 15,500 members in Northern California after an employee's laptop containing sensitive information was stolen from her home.
Meanwhile, BlueCross BlueShield of Tennessee in January released details about what kind of information was stored in hard drives stolen from a former call center facility in October 2009.
The drives contained hundreds of thousands of video and audio recordings of customer service calls. The company announced that as many as 500,000 members' information was contained on the drives, and it offered to pay for credit monitoring services at one of three levels, depending on how much of their personal information was compromised.
Company spokeswoman Mary Thompson said those analyzing the data are still trying to identify what kind of information about physicians would have been in the files and how many might be affected.












