Blumenthal's office believes this is the first lawsuit by a state's chief legal officer since the HITECH Act last year gave state attorneys general authority to prosecute HIPAA privacy and security violations.
Parent company Health Net in Los Angeles last November reported to insurance officials in four states the disappearance in May of a hard drive with protected health information on 1.5 million members, including 446,000 in Connecticut. The data was not encrypted, but Health Net said it is invisible without the use of specific software. The company attributed the delay in reporting the breach to a lengthy forensic investigation to determine what information was on the hard drive.
In the lawsuit, Blumenthal charges Health Net did not have adequate legal grounds to delay notifying members of the breach and that the delay constituted an unfair trade practice under state law. "Under information and belief, no law enforcement agency determined that the notification to affected Connecticut residents would have impeded a criminal investigation and requested that the notification be delayed," according to the suit.
Blumenthal is seeking a court order blocking Health Net from further HIPAA violations and requiring encryption of all protected health information on portable electronic devices. He also seeks civil fines.
New federal rules mandated under the HITECH Act require "timely" notification of certain breaches of health information. The rules were effective in September and had a compliance deadline of Feb. 22, 2010.
In a statement, Health Net said that protecting the privacy of its members is extremely important, adding that company policy requires that data must be encrypted and secured. The company pledged to work cooperatively with the Connecticut Attorney General.
"To date, Health Net has found no evidence that there has been any misuse of the data," the company said. It is offering two years of free credit monitoring services for all impacted members. The service also includes $1 million of identity theft insurance coverage and enrollment in fraud resolution services for two years.
Be the first to comment on this post using the section below.