The lawsuit, filed Jan. 13, was the first of its kind filed in the wake of the HITECH Act, which enabled state attorneys general to bring civil action in federal court for violations of HIPAA security and privacy rules.
The case, dating back to May 14, 2009, involved the loss of an unencrypted portable disk drive holding records for more than 500,000 enrollees in Connecticut and more than 1.5 million consumers nationwide, according a release from the attorney general. The drive included 28 million scanned, unencrypted pages of documents, such as claims and membership forms, appeals, grievances and medical records, according to the lawsuit. Information in the documents included names, addresses, bank account numbers and Social Security numbers.
Woodland Hills, Calif.-based Health Net agreed to offer those affected two years of credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes.
Also as part of the settlement, the insurer agreed to a "corrective action plan," to comply with HIPAA, including improved identity theft protection; system controls; management and oversight structures; training for employees; and incentives, monitoring and reports.
Also, the insurer will pay the state another $500,000 if it's determined that the lost disk drive was accessed and personal information used illegally.
Blumenthal alleged that the company delayed notifying consumers and law enforcement authorities about the incident. An investigation by a Health Net consultant concluded the disk drive likely was stolen, he added.
In other healthcare breach news, Blumenthal recently announced that he launched an investigation of a breach at insurer WellPoint Inc. that's now estimated to have affected about 480,000 individuals, including "thousands" in Connecticut. That case involved a web site glitch that exposed patient data.