January 18, 2010
Attorney General William Sorrell filed a complaint and proposed settlement Friday with Health Net, Inc., and Health Net of the Northeast, Inc., regarding the health insurance company's loss of an unencrypted portable hard drive containing protected health information. The complaint alleges violations of HIPAA (the Health Insurance Portability and Accountability Act), Vermont's Security Breach Notice Act, and Consumer Fraud Act. The settlement requires the defendants to pay $55,000 to the State, submit to a data-security audit, and file reports with the State regarding the company's information security programs for the next two years.
"Consumers expect - and the law requires - that personal information be treated with the utmost care," said Attorney General William Sorrell. "Identity theft remains one of the fastest growing crimes in America. Companies must be careful to prevent Vermonters' sensitive information, especially their medical records, from falling into the wrong hands."
The lawsuit is Vermont's first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009. The case arises from a portable hard drive that contained protected health information, social security numbers, and financial information of approximately 1.5 million people, including 525 Vermonters. Health Net discovered that the drive was missing on May 14, 2009 and did not start notifying affected Vermont residents until more than six month later. When it did notify Vermont residents, Health Net told them that it believed their risk of harm was "low" because "the files on the missing drive were not saved in a format that can be easily accessible." The files on the unencrypted drive were in TIF (Tagged Image File) format, which can be viewed using a variety of freely available software.
The complaint alleges that Health Net's six month delay in notifying Vermont residents violates the Security Breach Notice Act. That law requires data collectors to notify affected individuals of security breaches "in the most expedient time possible and without unreasonable delay." The complaint further alleges that Health Net violated HIPAA by failing to secure protected health information, and that the company violated the Consumer Fraud Act by misrepresenting the risk posed to affected individuals in the company's notice letters.
The complaint and proposed consent decree were filed in the U.S. District Court for the District of Vermont. The consent decree must be approved by a judge before it takes effect. Health Net, Inc., and Health Net of the Northeast, Inc., cooperated with the Vermont Attorney General's investigation of this matter and have settled similar actions in Connecticut and New York.