State Lawsuit a Sign of Times

Connecticut case may be tip of iceberg
State Lawsuit a Sign of Times
When the Connecticut attorney general recently filed a lawsuit against an insurance company for HIPAA security violations, it was a sign of things to come.

Under the HITECH Act, state attorneys general now can bring a civil action in federal court for violations of healthcare security and privacy rules.

The Connecticut case, filed Jan. 13 against Health Net, likely is the start of a wave of state cases to come, predicts security consultant Kate Borten of the Marblehead (Mass.) Group. "Enabling state attorneys general to enforce the HIPAA rules is a powerful tool," she says.

More complaints ahead?

More consumers are likely to file complaints at the state level rather than attempt to navigate through the federal bureaucracy, she argues. "We'll see many more complaints now, and we'll see states taking a big role in enforcement," she predicts.

Until now, many smaller healthcare organizations, such as clinics, "felt pretty comfortable that they wouldn't be on the radar screen of the federal government" if they were guilty of a security violation, Borten says. Now that states are also involved in enforcement, organizations of all sizes know that they face potential penalties for their actions, she argues.

The case

On Jan. 13, Connecticut Attorney General Richard Blumenthal filed a lawsuit against Health Net of Connecticut Inc. in a case involving the loss of a portable disk drive holding records for about 446,000 enrollees.

The company failed to promptly notify state officials or the individuals affected when the hard drive disappeared from an office in Shelton, Conn., on May 14, 2009, the lawsuit alleges.

The drive contained 28 million scanned, unencrypted pages of documents, such as claims and membership forms, appeals, grievances and medical records. These included names, addresses, bank account numbers and Social Security numbers, according to the lawsuit.

The insurer was acquired by a unit of UnitedHealth Group in December 2009.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.