Health Net Breach Lawsuit SettledIncludes Reimbursement for Identity Theft Losses
The settlement approved in the California superior court in Sacramento required providing certain plaintiffs with reimbursements for identity theft losses. It also required Health Net to offer credit monitoring to all 2 million affected as well as insurance coverage. Plus it called for Health Net to make unspecified changes to improve its physical and information security practices, according to settlement documents.
Under the terms of the settlement, individuals affected by the breach who accepted Health Net's original offer of two years of free credit monitoring were offered an extra year of credit monitoring; those who did not sign up for Health Net's original offer were entitled by the settlement to another chance at signing up for two years of free credit monitoring, says Matt George, an attorney at Girard Gibbs LLP, one of the California law firms representing plaintiffs in the suit.
The credit monitoring offered under the settlement also provides insurance coverage of up to $1 million per person. However, under the settlement, the deadline to sign up for the free credit monitoring was in early June, George explains. The settlement called for direct mail distribution and other outreach to breach victims to be notified about their rights to make a claim.
As a result, approximately 204,000 individuals, or more than 10 percent of the people affected by the breach, signed up for the credit monitoring services. "That's a good amount for breaches like this," George says.
Also 228 individuals also filed claims seeking reimbursement for identity theft losses, under other provisions of the settlement, which is separate from the insurance coverage offered with the credit monitoring, he says.
Under those provisions, Health Net has set aside up to $2 million to pay ID theft related expenses of up to $50,000 for each individual. Those claims cover reimbursement for expenses associated with ID theft loss, such as bank fees and other costs incurred by individuals related to ID theft events, George says.
In light of a trend for court dismissals of other high profile breach class action suits, including one this week involving Sutter Health, the settlement of the Health Net case is a win for breach victims, George says. "This is a successful result particularly given the hurdles and barriers for plaintiffs to get a foot in the door of the court house" in breach cases, he says. The Sutter case was dismissed when another California court ruled that there was no evidence that plaintiffs' data was accessed when thieves stole an unencrypted desktop computer in 2011 containing data for 4 million individuals.
Like the Sutter case, the class action against Health Net - which was the consolidation of about a dozen related lawsuits - sought for remedy under California's Confidentiality of Medical Information Act, which provides for awards of $1,000 in nominal damages to a patient if a healthcare provider negligently releases medical information or records.
The breach that's the subject of the Health Net lawsuit occurred in January 2011, when IBM notified Health Net that several unencrypted server hard drives were unaccounted for at a data center in Rancho Cordova, Calif. According to Health Net, current and former policyholders' information that was compromised included patients' names, addresses, medical information, Social Security numbers and financial information.
George says IBM was dismissed from several earlier suits related to the breach before many of the cases were consolidated into one claiming damages under the Confidentiality Act.
The Department of Health and Human Services, which lists the Health Net breach on its "wall of shame" website of breaches impacting 500 or more individuals, did not respond to an Information Security Media Group inquiry about the status of HHS' Office for Civil Rights' HIPAA investigation into the incident.
Credit Monitoring Trend
The settlement's provisions to extend credit monitoring to plaintiffs is critical in protecting against and detecting ID theft and fraud, while the provisions for Health Net to improve its security practices are also important to consumers, George says.
"Credit monitoring seems to be the default remedy in these large cases of PHI breach," notes Dan Berger, CEO of security consulting firm Redspin. "I am happy to see that Health Net submitted the changes that they have made to their physical and information security practices to the court and that the court found those be significant and weighed strongly in favor of the settlement," Berger adds.
"However, I don't like that the court went on to say [in the settlement documents] that these changes 'constitute a real benefit to all Health Net members.' Under HIPAA, there is an expectation of privacy and security of personal health information. In my opinion, fixing a problem isn't a 'benefit.' It simply brings Health Net back into compliance."
In a statement to ISMG, Health Net says the company is "pleased to bring the matter to a close, and added that, to date, it has no evidence that any confidential information on the missing drives has been accessed or misused by any third party."