Health Net Fined Second Time for BreachState Penalty Follows HITECH Act Case Settlement
The Connecticut Insurance Department announced this week that it has fined the Woodland Hills, Calif.-based insurer $375,000 for "failures to safeguard the personal information of its members from misuse by third parties," according to a statement from Commissioner Thomas R. Sullivan. The "most prominent failure" was the untimely notification of 500,000 state residents regarding the loss of a disk drive last year, the statement notes.
Groundbreaking HITECH LawsuitBack in July, Health Net agreed to pay $250,000 in damages and offer stronger consumer protections to settle a HITECH Act civil lawsuit filed in federal court by Connecticut Attorney General Richard Blumenthal, who recently was elected U.S. Senator. That suit also centered on the insurer's failure to promptly notify those affected by the breach incident, but focused on violation of federal, not state, law. The lawsuit claimed that the insurer did not notify consumers about the May 2009 breach until November 2009, when it posted a notice on its website and began sending letters to individuals affected.
The federal lawsuit, filed Jan. 13, was the first of its kind filed in the wake of the HITECH Act, which enabled state attorneys general to bring civil action in federal court for violations of HIPAA security and privacy rules.
Under the HITECH Act interim final breach notification rule, healthcare organizations must report breaches affecting 500 or more individuals to federal authorities, the media and those affected within 60 days.
As part of its efforts to call attention to the need to report breaches promptly, the Connecticut Insurance Department issued a bulletin in August requiring all insurance companies doing business in the state to report information breaches to state authorities within five calendar days, even if the data involved was encrypted. The state's action was "in response to some recent data breaches which were not reported in what we believe to be a timely manner," a department spokesman said. Under a separate data breach notification statute, all businesses in the state must report breaches of computerized personal information "without reasonable delay."
Breach Incident DetailsThe Health Net breach incident, dating back to May 14, 2009, involved the loss of an unencrypted portable disk drive holding records for more than 500,000 enrollees in Connecticut and more than 1.5 million consumers nationwide, according an earlier release from the attorney general. The drive included 28 million scanned, unencrypted pages of documents, such as claims and membership forms, appeals, grievances and medical records, according to the HITECH lawsuit. Information in the documents included names, addresses, bank account numbers and Social Security numbers.
In the HITECH case, Health Net agreed to offer those affected two years of credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes.
Also as part of that settlement, the insurer agreed to a "corrective action plan," to comply with HIPAA, including improved identity theft protection; system controls; management and oversight structures; training for employees; and incentives, monitoring and reports.
In his statement, Sullivan, the insurance commissioner, noted Health Net has "undertaken significant steps to improve data and equipment security. ... Under the terms of the settlement, none of the cost of those improvements will be passed along to Health Net members."