Health Net data breach brings first HITECH state enforcement action

In the first case of a state attorney general enforcing general HIPAA regulations under HITECH, Connecticut Attorney General Richard Blumenthal this week sued Health Net of Connecticut for misplacing the medical and financial information of nearly 450,000 enrollees, and failing to notify those affected in a timely manner. 

The lawsuit comes nearly eight months after the insurer discovered that a portable computer disk drive with unencrypted information disappeared from Health Net's Shelton office. Although the missing data included protected health information and social security and bank account numbers, it took Health Net six months to notify appropriate authorities and the affected enrollees, Blumenthal said.

"The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable," he said. "Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers." 

Last May, state attorney generals were given authorization to enforce HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Until this week, none had actually done so. 

"Sadly, this lawsuit is historic," Blumenthal said. 

For more about the lawsuit:
- read this press release