Connecticut Insurance Commissioner Fines Health Net of Connecticut $375,000 for Information Security Lapses

Posted on November 9, 2010 by Colin J. Zick

On November 8, 2010, the Connecticut Insurance Commissioner, Thomas Sullivan announced that the state's Insurance Department has reached an agreement with Health Net of Connecticut to pay $375,000 in penalties levied for what the Insurance Department characterized as "failures to safeguard the personal information of its members from misuse by third parties."  This included what the Insurance Department considered untimely notification of the 2009 loss of a disk drive resulting in the loss of personal health information of approximately 500,000 Connecticut members. 

Health Net will be providing credit monitoring protection for 2 years to all Connecticut members and providers who were affected by the 2009 data breach.  Health Net also has undertaken significant steps to improve data and equipment security.  Under the terms of the settlement, none of the cost of those improvements will be passed along to Health Net members.

Sources have indicated that the overall cost to Health Net in responding to this breach has been over $7 million.  Our July 7, 2010 posting contains information about the Connecticut AG's settlement of HIPAA claims with Health Net.

Tags: , , , , , ,

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit

Posted on January 13, 2010 by Colin J. Zick

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach.  AG Blumenthal is also seeking a court order to require Health Net to encrypt any protected health information (“PHI”) contained on a portable electronic device.

The AG’s suit stems from events that occurred in May 2009, when he alleges Health Net learned that a portable computer disk drive disappeared from a company office. The disk contained protected health information, Social Security numbers, and bank account numbers for approximately 446,000 of its past and present Connecticut enrollees.  AG Blumenthal further alleges that Health Net failed to promptly notify his office or other Connecticut authorities of this missing information. The missing information is said to include 27.7 million scanned pages of over 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.  

According to an investigative report by Kroll Inc., a computer forensic consulting firm hired by Health Net, the data was not encrypted or otherwise protected from access and viewing by unauthorized persons or third parties, but rather was viewable through the use of commonly available software. The Connecticut Attorney General alleges that it was not until six months after Health Net discovered the breach that it posted a notice on its website, and then sent letters to consumers on a rolling mailing basis beginning on November 30, 2009.

Tags: , , , , ,