Insurer Health Net has settled a lawsuit that Connecticut Attorney General Richard Blumenthal filed in January following a large data breach.

The suit was the first filed--and now the first settled--since the HITECH Act gave state attorneys general enforcement jurisdiction over the rules. Under settlement terms, Los Angeles-based Health Net will pay Connecticut $250,000 in statutory damages and implement a corrective action plan to improve compliance with the rules.

Health Net last November reported to insurance officials in four states the disappearance in May 2009 of a hard drive with protected health information on 1.5 million members, including 446,000 in Connecticut. The data was not encrypted but Health Net said it is "invisible" without the use of specific software. The company attributed the delay in reporting the breach to a lengthy forensic investigation to determine information on the hard drive. There is no evidence that data on the drive has been misused. If misuse is established, Health Net will pay the state an additional $500,000 under the settlement.

Blumenthal in the suit charged that Health Net did not have adequate legal grounds to delay notifying affected members and the delay constituted an unfair trade practice under state law. He also asserted 12 violations of the HIPAA privacy and security rules. Health Net at the time said it would work with Blumenthal to answer all of his questions and it was offering affected members credit and identity protection services at no cost.

Health Net issued a statement following settlement of the suit:

"Protecting the privacy of our members is extremely important to us. As the Connecticut Attorney General stated, Health Net has worked closely and cooperatively with his office and state regulators to enhance our security systems and controls through additional associate training and education, as well as state-of-the-art security programs. All of these improvements will result in Health Net being in the forefront of securing member health information.

"As stated in the agreement with the Attorney General, to date Health Net has no evidence that there has been any misuse of the data. Health Net has offered two years of free credit monitoring services for all impacted members who elect this service. This service also includes $1 million of identity theft insurance coverage and enrollment in fraud resolution services for two years, if needed. Additionally, if members experience any identity theft between May 2009 and the date of their enrollment in the service, Health Net will provide services to restore the member's identity at no cost to the member."

--Joseph Goedert

 

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access