Attorney General Announces Health Net Settlement Involving Massive Security Breach Compromising Private Medical and Financial Info

By in

confidentialAttorney General Richard Blumenthal today announced a settlement — the first of its kind in the nation — with Health Net and its affiliates for failing to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.

The settlement provides powerful protections for consumers and a $250,000 payment to the state — and marks the first action by a state attorney general for violations of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

The agreement resolves allegations that Health Net violated HIPAA, as well as state privacy protections regarding personal data such as social security numbers and financial information. 

Blumenthal sued after Health Net allegedly lost a computer disk drive in May 2009 containing protected health and other private information on more than 500,000 Connecticut citizens` and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information.

Underscoring the seriousness of the matter, Blumenthal learned that the company delayed notifying consumers and law enforcement authorities, and that an investigation by a Health Net consultant concluded the disk drive was likely stolen.

Blumenthal negotiated stronger protections for individuals than what HealthNet initially offered, including two years of credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes.

“This settlement is sadly historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said. “Protected private medical records and financial information on almost half million Health Net enrollees in Connecticut were exposed for at least six months before Health Net notified appropriate authorities and consumers.

“More than the money, this settlement sends a strong message to Health Net and all guardians of private health and financial information about their profound responsibilities to protect medical and financial records.

“These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft. This settlement provides powerful systemic protections for consumers and payment to taxpayers.”

The settlement involves Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.

Blumenthal commended the companies for cooperating in resolving this matter, accepting responsibility for this data breach, and through remedial efforts, committing financial and other resources to set a new industry standard in protecting private health and other information.

Blumenthal’s lawsuit, in coordination with Department of Consumer Protection (DCP) Commissioner Jerry Farrell, Jr., was filed to ensure that every measure was taken to protect against any losses such as identity theft, or other improper use of this private information.

Under this settlement, Health Net and its affiliates have agreed to:

  • A “Corrective Action Plan” in which Health Net is implementing several detailed measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.
  • A $250,000 payment to the state representing statutory damages. This payment is intended as a future deterrent to such conduct not only by Health Net, but by other insurers and health care entities that are entrusted with individuals’ private information.
  • An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members