Health Net Settles Breach Suit

Pays $250,000 in Connecticut Case
Health Net Settles Breach Suit
Insurer Health Net will pay $250,000 in damages and offer stronger consumer protections to settle a lawsuit filed by Connecticut Attorney General Richard Blumenthal over a breach in 2009.

The lawsuit, filed Jan. 13, was the first of its kind filed in the wake of the HITECH Act, which enabled state attorneys general to bring civil action in federal court for violations of HIPAA security and privacy rules.

The case, dating back to May 14, 2009, involved the loss of an unencrypted portable disk drive holding records for more than 500,000 enrollees in Connecticut and more than 1.5 million consumers nationwide, according a release from the attorney general. The drive included 28 million scanned, unencrypted pages of documents, such as claims and membership forms, appeals, grievances and medical records, according to the lawsuit. Information in the documents included names, addresses, bank account numbers and Social Security numbers.

Woodland Hills, Calif.-based Health Net agreed to offer those affected two years of credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes.

Also as part of the settlement, the insurer agreed to a "corrective action plan," to comply with HIPAA, including improved identity theft protection; system controls; management and oversight structures; training for employees; and incentives, monitoring and reports.

Also, the insurer will pay the state another $500,000 if it's determined that the lost disk drive was accessed and personal information used illegally.

Blumenthal alleged that the company delayed notifying consumers and law enforcement authorities about the incident. An investigation by a Health Net consultant concluded the disk drive likely was stolen, he added.

In other healthcare breach news, Blumenthal recently announced that he launched an investigation of a breach at insurer WellPoint Inc. that's now estimated to have affected about 480,000 individuals, including "thousands" in Connecticut. That case involved a web site glitch that exposed patient data.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.