Connecticut Attorney General (AG) Richard Blumenthal announced Wednesday that he is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach.
Blumenthal also is seeking a court order blocking Health Net from continued violations of the Health Insurance Portability and Accountability Act (HIPAA) by requiring that any protected health information contained on a portable electronic device be encrypted.
This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized state attorneys general to enforce HIPAA.
"Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves—before Health Net notified appropriate authorities and consumers,” said Blumenthal. "The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.”
On or about May 14, 2009, Health Net learned that a portable computer disk drive disappeared from the company's office in Shelton, Conn. The disk contained protected health information, social security numbers and bank account numbers for approximately 446,000 past and present Connecticut enrollees.
Blumenthal alleges that Health Net failed to promptly notify his office or other Connecticut authorities of this missing protected health and other personal and private information.
The missing information included 27.7 million scanned pages of over 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.
According to an investigative report by Kroll, a computer forensic consulting firm hired by Health Net, the data was not encrypted or otherwise protected from access and viewing by unauthorized persons or third parties, but rather was viewable through the use of commonly available software.
Despite its own policies and requirements of federal law, Blumenthal alleges that Health Net failed to encrypt this private and protected information or promptly notify Connecticut residents whose personal information may have been compromised.
About six months after Health Net discovered the breach, the company posted a notice on its Web site, and then sent letters to consumers on a rolling mailing basis beginning on Nov. 30, 2009.
Blumenthal's suit also alleges that Health Net failed to “effectively supervise and train its workforce on policies and procedures concerning the appropriate maintenance, use and disclosure of protected health information.”
The lawsuit also names UnitedHealth Group and Oxford Health Plans. While those companies did not cause the data breach, the companies have acquired ownership of Health Net of Connecticut.