July 7, 2010
A settlement -- the first of its kind in the nation -- has been reached between Health Net and its affiliates and the state of Connecticut in a security breach case.
Health Net was accused of failing to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.
The settlement provides powerful protections for consumers and a $250,000 payment to the state. It's the first action by a state attorney general for violations of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.
The agreement resolves allegations that Health Net violated HIPAA, as well as state privacy protections regarding personal data such as social security numbers and financial information.
Connecticut Attorney General Richard Blumenthal sued after Health Net allegedly lost a computer disk drive in May 2009 containing protected health and other private information on more than 500,000 Connecticut citizens` and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information.
Underscoring the seriousness of the matter, Blumenthal learned that the company delayed notifying consumers and law enforcement authorities, and that an investigation by a Health Net consultant concluded the disk drive was likely stolen.
Blumenthal negotiated stronger protections for individuals than what Health Net initially offered, including two years of credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes.
"This settlement is sadly historic -- involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "Protected private medical records and financial information on almost half million Health Net enrollees in Connecticut were exposed for at least six months before Health Net notified appropriate authorities and consumers."
This settlement, he said, "sends a strong message to Health Net and all guardians of private health and financial information about their profound responsibilities to protect medical and financial records."
Under the settlement, which involves Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans, the company and its affiliates have agreed to:
A "Corrective Action Plan" in which Health Net is implementing several detailed measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.
A $250,000 payment to the state representing statutory damages. This payment is intended as a future deterrent to such conduct not only by Health Net, but by other insurers and health care entities that are entrusted with individuals' private information.
An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.