Health Net will pay $55,000 to settle a complaint that it didn't inform customers in Vermont that their personal information was lost along with an unencrypted computer hard drive. The Connecticut-based insurer also must submit to a data-security audit and file reports with Vermont regarding its security programs for the next two years.
The case arose after the loss of a portable hard drive that contained protected health information, Social Security numbers and financial information of roughly 1.5 million people, including 525 Vermonters. Health Net discovered the drive was missing on May 14, 2009, but did not start notifying affected Vermont residents until more than six months later, notes the Insurance Journal.
When it did notify Vermont residents, Health Net told them that it believed their risk of harm was low because "the files on the missing drive were not saved in a format that can be easily accessible." However, according to the Vermont attorney general's office, the files on the unencrypted drive were in TIF format, which can be viewed using many types of freely available software.
The complaint and proposed settlement with Health Net and Health Net of the Northeast were both filed on Friday, the Associated Press reports. The complaint alleges that Health Net's six-month delay in notifying Vermont residents violates the Security Breach Notice Act, which requires data collectors notify affected individuals of security breaches "in the most expedient time possible and without unreasonable delay."
The complaint also alleges that Health Net violated HIPAA by failing to secure protected health information, and that the company violated the Consumer Fraud Act by misrepresenting the risk posed to affected individuals in the company's notice letters, according to the attorney general's office.
Since that data breach also jeopardized Connecticut members, the Connecticut Insurance Department fined Health Net and its affiliates $375,000 for putting customers' personal data at risk, reports the Hartford Business Journal.
Connecticut AG investigates WellPoint data breach, fines Health Net $250K
Unencrypted email implicated in Geisinger patient data breach
AvMed sued for data breach that affected 1.2 million people