Connecticut Attorney General Richard Blumenthal is suing Health Net of Connecticut, Inc., after the insurer reportedly failed to secure private medical records and financial information of 446,000 Connecticut members and then did not promptly notify them of the possible security breach for six months.
According to the AG's office, the insurer learned that a portable computer disk drive disappeared from the company's Shelton office about May 14, 2009. The insurer contends that it was misplaced, but the AG's office says that it was stolen. The disk contained protected health information, social security numbers, and bank account numbers, according to the AG's office.
Blumenthal charges that Health Net, which has about 6.6 million members across the country, did not inform his office or other Connecticut authorities of the missing information, which included 27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence, and medical records.
The AG said Health Net waited six months after the breach before posting a notice on its Web site and informing members of the problem on Nov. 30.
"Sadly, this lawsuit is historic—involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves —before Health Net notified appropriate authorities and consumers."
In a statement Wednesday, Health Net said it had just received a copy of the lawsuit and was reviewing it. The company added that it will "continue to work cooperatively with the Connecticut Attorney General on this matter." Health Net said, "To date, Health Net has no evidence that there has been any misuse of the data."