CT Breaches Lead to Tougher Notification Requirement

The Connecticut Insurance Department issued a bulletin last month that calls for state insurers to notify affected individuals and the state's insurance commissioner of a breach of patient information no later than five calendar days after its discovery.

This makes the requirement even more strict than California, whose five "business days" requirement is known to be one of the toughest in the country.

Connecticut's insurance officials made the move "in order to assure that Connecticut consumers are fully protected and informed in the event of any information security incident ... that could pose a potential risk to the privacy of an individual's personal health and/or financial information," according to the bulletin.

Dawn McDaniel, a spokesperson for the Connecticut Insurance Department, told HealthLeaders Media in an e-mail the bulletin is in response to “some recent data breaches which were not reported in what we believe to be a timely manner.”

Though McDaniel did not cite it specifically, Connecticut’s state attorney general office July 6 announced it had reached a settlement with Health Net and its affiliates over the failure last year to secure the private medical records of 1.5 million policyholders and for the insurers' delay in reporting the breach.

The settlement imposed a $250,000 fine on the company for HIPAA and HITECH violations, and requires the insurers to adopt rigorous security and notification measures.

The settlement involved Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.

On May 14, 2009, the loss or theft of a portable computer disk drive at the company's Shelton, CT office impacted about 446,000 Connecticut policy and 1 million other policy holders across the nation. The breached data included personal health records, bank account numbers, and social security numbers. Health Net waited until Nov. 30 to provide notice of the breach.