Health Net fully cooperated with the state, is providing two years of credit monitoring services to affected members and has improved data and equipment security, the insurance department said. However, it levied the fine because it believes the insurer did not notify authorities and members in a timely manner, according to its announcement.
In July, the company settled a lawsuit that Connecticut Attorney General Richard Blumenthal filed following the breach, paying $250,000 and implementing a state-approved corrective action plan.
Health Net last November reported to insurance officials in four states the disappearance in May 2009 of a hard drive with protected health information on 1.5 million members, including 446,000 in Connecticut.
Blumenthal's suit was the first filed--and the first settled--since the HITECH Act gave state attorneys general enforcement jurisdiction over the HIPAA privacy, security and breach notification rules.
Health Net issued the following statement following settlement with the insurance department:
"Protecting the privacy of our members is extremely important to us. Health Net has worked closely and cooperatively with the Connecticut Department of Insurance (DOI) to enhance our security systems and controls, and we have agreed to complete the additional security measures requested by the DOI.
"All of these improvements put Health Net at the forefront of efforts to properly secure health information. To date, Health Net has no evidence that there has been any misuse of data.
"Health Net is taking great strides to reassure our members. We have offered two years of free credit monitoring services for anyone eligible to elect this service. The service also includes $1 million of identity theft insurance coverage and enrollment in fraud resolution services for two years, if needed. Additionally, if members experience any identity theft between May 2009 and the date of their enrollment in the service, Health Net will provide services to restore the member's identity at no cost."