On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.
The settlement marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health (“HITECH“) Act authorized state attorneys general to enforce HIPAA. The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:
- A “Corrective Action Plan” in which Health Net is implementing several measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.
- A $250,000 payment to the state representing statutory damages.
- An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.