Connecticut Tuesday announced that it has reached a settlement with Health Net and its affiliates over the failure last year to secure the private medical records of 1.5 million policyholders and for the insurers' delay in reporting the breach.
Connecticut Attorney General Richard Blumenthal said the settlement imposes a $250,000 fine on the company for HIPAA and HITECH violations, and requires the insurers to adopt rigorous security and notification measures.
The settlement involves Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.
Blumenthal said the insurers cooperated with the settlement, accepted responsibility for breach, and agreed to a remedial action plan.
The May 14, 2009 loss or theft of a portable computer disk drive at the company's Shelton, CT office impacted about 446,000 Connecticut policy and 1 million other policy holders across the nation. The breached data included personal health records, bank account numbers, and social security numbers. Health Net waited until Nov. 30 to provide notice of the breach.
The information included 27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals, grievances, correspondence, and medical records.
Health Net had maintained that the disk drive had been misplaced, but Blumenthal said a consultant hired by Health Net concluded that it had been stolen.
"This settlement is sadly historic — involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said in a statement. "These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft," he said.
Health Net issued the following statement: "Protecting the privacy of our members is extremely important to us. As the Connecticut Attorney General stated, Health Net has worked closely and cooperatively with his office and state regulators to enhance our security systems and controls through additional associate training and education, as well as state-of-the-art security programs. All of these improvements will result in Health Net being in the forefront of securing member health information. As stated in the agreement with the Attorney General, to date Health Net has no evidence that there has been any misuse of the data."
Health Net has offered to pay for two years of credit monitoring services for any impacted members who elect the service.
John Commins is the news editor for HealthLeaders.