Connecticut Attorney General Richard Blumenthal is suing Health Net of Connecticut, Inc., after the insurer reportedly failed to secure private medical records and financial information of 446,000 Connecticut members and then did not promptly notify them of the possible security breach for six months.
According to the AG's office, the insurer learned that a portable computer disk drive disappeared from the company's Shelton office about May 14, 2009. The insurer contends that it was misplaced, but the AG's office says that it was stolen. The disk contained protected health information, social security numbers, and bank account numbers, according to the AG's office.
Blumenthal charges that Health Net, which has about 6.6 million members across the country, did not inform his office or other Connecticut authorities of the missing information, which included 27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence, and medical records.
The AG said Health Net waited six months after the breach before posting a notice on its Web site and informing members of the problem on Nov. 30.
"Sadly, this lawsuit is historic—involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves —before Health Net notified appropriate authorities and consumers."
In a statement Wednesday, Health Net said it had just received a copy of the lawsuit and was reviewing it. The company added that it will "continue to work cooperatively with the Connecticut Attorney General on this matter." Health Net said, "To date, Health Net has no evidence that there has been any misuse of the data."
The AG's office alleges that an investigative report by Kroll Inc., a computer forensic consulting firm hired by Health Net, found that that data was not encrypted or protected from access by unauthorized people, which Blumenthal said is against the insurer's own policies and requirements of federal law. Blumenthal is seeking a court order to block Health Net from continued HIPAA violations by requiring that any protected health information contained on a portable electronic device be encrypted.
"These missing medical records included some of the most personal, intimate patient information—exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft," he said. "The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers," he said.
"Failing to protect patient privacy blatantly violates federal law and Health Net's public trust. We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties."
The lawsuit also names UnitedHealth Group and Oxford Health Plans, which have acquired ownership of Health Net of Connecticut, said Blumenthal.
In response to the missing information, Health Net said it is offering two years of "free credit monitoring services for all impacted members who elect this service. This service also includes $1 million of identity theft insurance coverage and enrollment in fraud resolution services for two years, if needed. Additionally, if members experience any identity theft between May 2009 and the date of their enrollment, Health Net will provide services to restore the member's identity at no cost to the member."
Les Masterson is an editor for HealthLeaders Media.
Follow Les Masterson on Twitter.