Health Net data breach brings first HITECH state enforcement action

In the first case of a state attorney general enforcing general HIPAA regulations under HITECH, Connecticut Attorney General Richard Blumenthal this week sued Health Net of Connecticut for misplacing the medical and financial information of nearly 450,000 enrollees, and failing to notify those affected in a timely manner. 

The lawsuit comes nearly eight months after the insurer discovered that a portable computer disk drive with unencrypted information disappeared from Health Net's Shelton office. Although the missing data included protected health information and social security and bank account numbers, it took Health Net six months to notify appropriate authorities and the affected enrollees, Blumenthal said.

"The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable," he said. "Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers." 

Last May, state attorney generals were given authorization to enforce HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Until this week, none had actually done so. 

"Sadly, this lawsuit is historic," Blumenthal said. 

For more about the lawsuit:
- read this press release

Suggested Articles

The profit margins and management of Community Health Group raise questions about oversight of managed care insurers.

Financial experts are warning practices about the pitfalls of promoting medical credit cards to their patients.

A proposed rule issued by HHS on Tuesday would expand short-term coverage, a move Seema Verma said will have "virtually no impact" on ACA premiums.