FROM THE FOUNDATION

Patient Health Data, Understood

Most patient health records today are hard for consumers to understand. CHCF asked high-end designers what a "human-centered" approach might look like.

The Health Datapalooza

Register now for the June 5-6 HDI Forum III in Washington, DC, on health innovation that will include renowned speakers, breakout sessions, and an apps expo replete with demos, developers, and designers.

Privacy and Security

Thursday, January 14, 2010

Conn. Attorney General Sues Health Net Over Data Security Breach

Connecticut Attorney General Richard Blumenthal (D) has filed a lawsuit alleging that Health Net of Connecticut failed to properly secure patient information and waited too long to inform consumers about a data breach, the Hartford Courant reports (Sturdevant, Hartford Courant, 1/13).

Blumenthal -- the brother of National Coordinator for Health IT David Blumenthal -- recently announced his bid for the Senate seat being vacated by Sen. Chris Dodd's (D-Conn.) (Monegain, Healthcare IT News, 1/13). 

Background

In May 2009, a portable external hard drive disappeared from Health Net's Connecticut office. The insurer did not report the missing data until six months later, in November 2009.

Health Net said it did not know whether the drive was misplaced or stolen.

The device contained financial, medical and personal information on about 1.5 million Health Net members across the country (Hartford Courant, 1/13). Some of the missing data included:

  • Bank account information;
  • Insurance claims forms;
  • Medical records; and
  • Social Security numbers (Daddona, New London Day, 1/13).

Lawsuit Details

Blumenthal's lawsuit marks the first time a state attorney general has sued over HIPAA violations. The health IT provisions of the 2009 federal economic stimulus package authorized state attorneys general to enforce the HIPAA privacy and security rules (Healthcare IT News, 1/13).

The lawsuit charges Health Net with violating company policy and federal requirements by failing to properly encrypt the patient data.

Blumenthal said his office is seeking a court order that would require Health Net to encrypt all data contained on portable electronic devices.

The lawsuit also names Oxford Health Plans and UnitedHealth Group, two firms that recently acquired ownership of Health Net.

Health Net Response

In a written statement, Health Net said it is reviewing the lawsuit and plans to work with the attorney general's office to resolve the issue.

The insurer noted that it has no evidence that anyone has misused the missing data (Masterson, HealthLeaders Media, 1/13). Health Net said it would provide two years of no-cost credit monitoring and $1 million in identity theft insurance to affected members. The insurer also said it would assist any customer who experiences fraud or identity theft following the data breach (Blesch, Modern Healthcare, 1/13).

Reader Comments:
  • 1
  • 01/15/2010
  • Susan Callahan

Bravo to Attorney General Blumenthal. I am happy to see someone as important as Attorney General Blumenthal take a strong stance toward those entities that are not doing everything that they can to ensure the security and privacy of people's most confidential data -- health records, social security and bank account numbers. With the pervasiveness of portable storage devices and the selling of personal information surging, all confidential data should be encrypted. There are many encryption solutions on the market that are affordable and easy to implement that could have prevented data leaks like these. Therefore there is no excuse for companies that do not take the proactive steps needed to protect your confidential information. From my perspective, AG Blumenthal is doing an excellent job by taking a stand for everyone's right to privacy.



Readers are also invited to send feedback to: ihb@chcf.org
Click to register for iHealthBeat

MOST POPULAR ARTICLES