Connecticut AG fines Health Net $250,000 for data security violations
Connecticut Attorney General Richard Blumenthal announced a $250,000 settlement – the first of its kind in the country – with healthcare insurer Health Net and its affiliates over health data security breaches.
Blumenthal charged Health Net with failing to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and also failing to promptly notify consumers endangered by the breach.
The settlement, announced Tuesday provides protections for consumers and a $250,000 payment to the state – and marks the first action by a state attorney general for violations of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA, Blumenthal noted.
The agreement resolves allegations that Health Net violated HIPAA, as well as state privacy protections regarding personal data such as Social Security numbers and financial information.
Blumenthal sued after Health Net allegedly lost a computer disk drive in May 2009 containing protected health and other private information on more than 500,000 Connecticut citizens and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, Social Security numbers, protected health information and financial information.
An investigation by a Health Net consultant concluded the disk drive was likely stolen.
Blumenthal negotiated stronger protections for individuals than what HealthNet initially offered, including two years of credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes.
"This settlement is sadly historic – involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "Protected private medical records and financial information on almost half million Health Net enrollees in Connecticut were exposed for at least six months before Health Net notified appropriate authorities and consumers.
"More than the money, this settlement sends a strong message to Health Net and all guardians of private health and financial information about their profound responsibilities to protect medical and financial records.
"These missing medical records included some of the most personal, intimate patient information – exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft. This settlement provides powerful systemic protections for consumers and payment to taxpayers."
The settlement involves Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.