Connecticut Attorney General Richard Blumenthal has filed a lawsuit charging Health Net of Connecticut Inc. with violations of the HIPAA privacy and security rules following a large breach of identifiable medical records and Social Security numbers.

Blumenthal's office believes this is the first lawsuit by a state's chief legal officer since the HITECH Act last year gave state attorneys general authority to prosecute HIPAA privacy and security violations.

Parent company Health Net in Los Angeles last November reported to insurance officials in four states the disappearance in May of a hard drive with protected health information on 1.5 million members, including 446,000 in Connecticut. The data was not encrypted, but Health Net said it is invisible without the use of specific software. The company attributed the delay in reporting the breach to a lengthy forensic investigation to determine what information was on the hard drive.

In the lawsuit, Blumenthal charges Health Net did not have adequate legal grounds to delay notifying members of the breach and that the delay constituted an unfair trade practice under state law. "Under information and belief, no law enforcement agency determined that the notification to affected Connecticut residents would have impeded a criminal investigation and requested that the notification be delayed," according to the suit.

Blumenthal is seeking a court order blocking Health Net from further HIPAA violations and requiring encryption of all protected health information on portable electronic devices. He also seeks civil fines.

New federal rules mandated under the HITECH Act require "timely" notification of certain breaches of health information. The rules were effective in September and have a compliance deadline of Feb. 22, 2010.

Health Net of Connecticut on Jan. 13 released the following statement within hours of receiving the lawsuit:

"Protecting the privacy of our members is extremely important to us. Health Net's company policy states that data must be encrypted and secured. Health Net has just received a copy of the lawsuit and is in the process of reviewing it. We will continue to work cooperatively with the Connecticut Attorney General on this matter.

"To date, Health Net has found no evidence that there has been any misuse of the data. Health Net is offering two years of free credit monitoring services for all impacted members who elect this service. This service also includes $1 million of identity theft insurance coverage and enrollment in fraud resolution services for two years, if needed. Additionally, if members experience any identity theft between May 2009 and the data of their enrollment, Health Net will provide services to restore the member's identity at no cost to the member."

The lawsuit was filed Jan. 13 with the United States District Court of Connecticut.

--Joseph Goedert

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access