Connecticut Attorney General Richard Blumenthal has announced that his office has reached a settlement with health insurance company Health Net over a failure to secure patient information on almost a half-million state enrollees, and subsequent failure to promptly notify consumers about the breach. The settlement involves Health Net of the Northeast Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.
As previously reported in DOTmed
, Blumenthal filed a federal suit against the company, alleging that in May of 2009 Health Net learned that a portable computer disk drive containing protected health information (social security numbers and bank account numbers) for the Connecticut enrollees disappeared from the company's Shelton, CT office. According to the complaint in the suit, Health Net delayed and otherwise failed to properly inform the state attorney general's office, the Connecticut Department of Insurance, Department of Consumer Protection or any other government agency authority of the missing drive and its health and private information. The unencrypted disk drive allegedly contained 27.7 million scanned pages of over 120 different types of documents. including insurance claims forms, membership forms, appeals and grievances, correspondence and medical records.
Story Continues Below Advertisement
The PowerServer RIS/PACS is a single database application, essential to reducing redundant work, limiting manual data entry, and increasing consistency throughout healthcare practices. Click to learn how it will help you improve patient care and more.
Blumenthal said in a press release that a Health Net consultant later investigated and concluded that the disk drive was probably stolen. The suit was the first by a state attorney general for violations of the federal Health Insurance Portability and Accountability Act of 1996, after the Health Information Technology for Economic and Clinical Health Act authorized state attorneys general to enforce HIPAA. The settlement includes a $250,000 payment to the state. Blumenthal praised the companies involved for cooperation in the matter, and accepting responsibility.
According to the stipulated judgment entered in the case, Health Net and affiliates have agreed to a corrective action plan. Health Net will be using a third-party service to monitor and protect new members, and to have credit restoration services for any identity theft that occurs. The company will also improve existing privacy and security programs, including training for employees, monitoring and reports.
"This settlement is sadly historic -- involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said in the press release. "More than the money, this settlement sends a strong message to Health Net and all guardians of private health and financial information about their profound responsibilities to protect medical and financial records.