Health Net Announces Second Major Breach in Two Years; Creates Potential for Largest Ever Penalty

Posted on March 16, 2011 by Colin J. Zick

On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health informationAccording to California regulators, these servers appear to contain the data of 1.9 million people nationwide:

The company announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare.. 

Since this is the second incident in two years for the company (see "Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit"), it will be interesting to see what  kind of penalty Health Net could face from the federal government.  In that regard, consider that the loss of 192 records just cost Massachusetts General Hospital $1 million.  If a penalty in the same proportion were applied to this breach, Health Net could face a penalty of over $9 billion.

Tags: , , , , , , , , ,

Connecticut Insurance Commissioner Fines Health Net of Connecticut $375,000 for Information Security Lapses

Posted on November 9, 2010 by Colin J. Zick

On November 8, 2010, the Connecticut Insurance Commissioner, Thomas Sullivan announced that the state's Insurance Department has reached an agreement with Health Net of Connecticut to pay $375,000 in penalties levied for what the Insurance Department characterized as "failures to safeguard the personal information of its members from misuse by third parties."  This included what the Insurance Department considered untimely notification of the 2009 loss of a disk drive resulting in the loss of personal health information of approximately 500,000 Connecticut members. 

Health Net will be providing credit monitoring protection for 2 years to all Connecticut members and providers who were affected by the 2009 data breach.  Health Net also has undertaken significant steps to improve data and equipment security.  Under the terms of the settlement, none of the cost of those improvements will be passed along to Health Net members.

Sources have indicated that the overall cost to Health Net in responding to this breach has been over $7 million.  Our July 7, 2010 posting contains information about the Connecticut AG's settlement of HIPAA claims with Health Net.

Tags: , , , , , ,

Connecticut Attorney General Reaches First State HIPAA Settlement with Health Net

Posted on July 7, 2010 by Colin J. Zick

On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.

 

The settlement marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health ("HITECH") Act authorized state attorneys general to enforce HIPAA.  The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:

 

· A “Corrective Action Plan” in which Health Net is implementing several measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.

· A $250,000 payment to the state representing statutory damages.

· An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

Tags: , , , , , ,

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit

Posted on January 13, 2010 by Colin J. Zick

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach.  AG Blumenthal is also seeking a court order to require Health Net to encrypt any protected health information (“PHI”) contained on a portable electronic device.

The AG’s suit stems from events that occurred in May 2009, when he alleges Health Net learned that a portable computer disk drive disappeared from a company office. The disk contained protected health information, Social Security numbers, and bank account numbers for approximately 446,000 of its past and present Connecticut enrollees.  AG Blumenthal further alleges that Health Net failed to promptly notify his office or other Connecticut authorities of this missing information. The missing information is said to include 27.7 million scanned pages of over 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.  

According to an investigative report by Kroll Inc., a computer forensic consulting firm hired by Health Net, the data was not encrypted or otherwise protected from access and viewing by unauthorized persons or third parties, but rather was viewable through the use of commonly available software. The Connecticut Attorney General alleges that it was not until six months after Health Net discovered the breach that it posted a notice on its website, and then sent letters to consumers on a rolling mailing basis beginning on November 30, 2009.

Tags: , , , , ,