Health Net keeps paying for its data breach in 2009.
The Connecticut Insurance Commission announced Monday that it reached a settlement with Health Net in which the insurer will pay the state $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.
The fine stems from the untimely notification of the 2009 loss of a disk drive from the Shelton, CT, location resulting in the loss of PHI of approximately 500,000 Connecticut members.
Health Net cooperated fully with the state. It provided credit monitoring protection for two years to all Connecticut members and providers affected and "has undertaken significant steps to improve data and equipment security in both Shelton locations," according to the state's press release.
"We are pleased with the way Health Net responded to the department's concerns regarding its internal practices," Commissioner Thomas R. Sullivan said in a statement. "I believe they have taken the proper actions to implement systemic changes and guard against injury to its members resulting from the lost disk drive."
In July, Connecticut's state attorney general's office announced that it has reached a settlement with Health Net and its affiliates over the failure to secure the private medical records of policyholders and for the insurers' delay in reporting the breach.
Connecticut Attorney General Richard Blumenthal said the settlement imposes a $250,000 fine on the company for HIPAA and HITECH violations, and requires the insurers to adopt rigorous security and notification measures.