Health Information Compliance Alert

Published on Thu Jan 28, 2010 PDF

HITECH Act shows its teeth within 4 months of being implemented.

In the first lawsuit of its kind since the HITECH Act became official last year and gave state attorneys general authority to prosecute HIPAA privacy and security violations, Connecticut Attorney General Richard Blumenthal has filed a lawsuit charging Health Net of Connecticut Inc. with a large breach of identifiable medical records and Social Security numbers, according to a press release from the Connecticut Attorney General's office.

In Nov, 2009, parent company, Health Net had reported a missing hard disk with protected health information (PHI) on 1.5 million members including 446,000 in Connecticut, said reports. Although data on the disk was not encrypted, Health Net officials said a particular software was needed to read them. Health Net further attributed the delay in reporting the loss to a lengthy in-house forensic investigation to determine the exact magnitude of the loss.

But according to Bluementhal, this delay constituted unfair trade practice under Connecticut state law. "Under information and belief, no law enforcement agency determined that the notification to affected Connecticut residents would have impeded a criminal investigation and requested that the notification be delayed," said the suit, the press release further indicated.

"Sadly, this lawsuit is historic -- involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months -- most likely by thieves -- before Health Net notified appropriate authorities and consumers," the Attorney General was quoted as saying in the press release.

Apart from seeking civil fines, the attorney general is now also seeking a court order blocking Health Net from further HIPAA violations and requiring encryption of all protected health information on portable electronic devices.

New federal rules mandated under the HITECH Act require "timely" notification of certain breaches of health information. The rules were effective in September 2009 and have a compliance deadline of Feb. 22, 2010.

In a press statement, released within hours of receiving the lawsuit, a Health Net spokesperson said: "Protecting the privacy of our members is extremely important to us. Health Net's company policy states that data must be encrypted and secured. Health Net has just received a copy of the lawsuit and is in the process of reviewing it. We will continue to work cooperatively with the Connecticut Attorney General on this matter."

The spokesperson further said that till the date the statement was issued, there was no evidence that the data lost had been misused in any way, and was offering two years of free credit monitoring services for all impacted members who elect this service. If needed, the company would also provide $1 million of identity theft insurance coverage and enrollment in fraud resolution services for two years to impacted members, a company spokesperson said.

(Editor's note: Attorney General Blumenthal's office's press release on this case is posted at: www.ct.gov/ag/cwp/view.asp?Q=453916&A=3869.)