Blumenthal files data breach suit
HARTFORD, Conn. (Legal Newsline) - Following a security breach involving health information, social security numbers and bank account numbers for approximately 446,000 Health Net of Connecticut, Inc., enrollees, Connecticut Attorney General Richard Blumenthal has filed a lawsuit.
Blumenthal's suit also seeks a court order to require that any protected health information on Health Net's portable electronic devices be encrypted. The court order would block Health Net from continued violations of the Health Insurance Portability and Accountability Act.
"Failing to protect patient privacy blatantly violates federal law and Health Net's public trust," Blumenthal said. "We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties."
The case makes Blumenthal the first state attorney general to take action over violations of HIPAA since attorneys general were authorized by the Health Information Technology for Economic and Clinical Act to do so.
"Sadly, this lawsuit is historic - involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said.
"Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months - most likely by thieves - before Health Net notified appropriate authorities and consumers."
The suit arises from the loss of a portable computer disk drive from Health Net's Shelton office. Health Net learned on or about May 14 that the drive, which contained information on past and present Connecticut enrollees, was missing.
The drive included 27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.
Kroll, Inc., a computer forensic consulting firm hired by Health Net, discovered that the data on the drive was not encrypted or otherwise protected from access and viewing by unauthorized or third parties. Both Health Net policies and federal law require the private and personal information contained on the drive be encrypted.
"These missing medical records included some of the most personal, intimate patient information - exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft," Blumenthal said.
Health Net, Blumenthal alleges, failed to promptly notify the attorney general's office or any other Connecticut authorities following the drive's disappearance. Additionally, in spite of requirements of federal law, Health Net failed to promptly notify residents whose personal information had been compromised.
Six months after the discovery of the security breach, Health Net posted a notice on its website and sent letters to consumers beginning Nov. 30, on a rolling basis.
The lawsuit against Health Net alleges that it also failed to effectively supervise and train its workforce on necessary policies and procedures concerning appropriate maintenance, use and disclosure of protected health information.
UnitedHealth Group Inc. and Oxford Health Plans LLC are also named in the lawsuit. Those companies, which did not cause the data breach, have acquired ownership of Health Net of Connecticut.