Health Net of Connecticut Sued for Security Breach
On May 14, 2009, Health Net of Connecticut learned that a portable computer disk drive was missing from the company’s Shelton, Conn. office. The drive contained personal health information (PHI), Social Security numbers and bank account numbers for approximately 446,000 past or present Health Net enrollees. The company posted on its website a notice of the security breach six months later.
On Jan. 13, Attorney General Richard Blumenthal sued Health Net for failing to secure private patient medical records and financial information and promptly notify consumers affected by the breach. The data was not encrypted.
Blumenthal is also seeking a court order blocking Health Net from continued Health Insurance Portability and Accountability Act (HIPAA) violations by requiring all PHI contained on a portable electronic device to be encrypted.
This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA, according to the Connecticut attorney general’s office.
“Sadly, this lawsuit is historic—involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves—before Health Net notified appropriate authorities and consumers.
“These missing medical records included some of the most personal, intimate patient information—exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft.”
The missing information included 27.7 million scanned pages of over 120 different types of documents, including insurance claims forms, membership forms, appeals and grievances, correspondence, and medical records.
“The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable,” Blumenthal said. “Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.
“Failing to protect patient privacy blatantly violates federal law and Health Net’s public trust. We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties.”
United Health Group, Inc. and Oxford Health Plans LLC also are named on the lawsuit because they own Health Net.