As reported previously on this blog (here and here) relative to cases brought by former Connecticut Attorney General Richard Blumenthal (the “Connecticut Action”) and Indiana Attorney General Greg Zoeller (the “Indiana Action”), the HIPAA/HITECH statutes and regulations regarding public disclosure of security breaches of Protected Health Information (“PHI”) have encouraged direct intervention by state attorneys general with respect to such breaches. The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. It was also pointed out in the earlier blog postings that nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches.
On January 18, 2011, Attorney General William Sorrell of Vermont and his office (collectively, the “Vermont Attorney General”) announced in a press release (the “Press Release”) that it had settled a lawsuit (the “Vermont Action”), by means of a consent decree which requires court approval, against Health Net, Inc., and Health Net of the Northeast, Inc. (collectively, “Health Net”). The Vermont Action involves a number of the same issues to which the Connecticut Action against Health Net related, including an alleged failure to promptly notify consumers endangered by the breach.
The settlement in the Vermont Action (the “Vermont Settlement”) would require Health Net to pay $55,000 to Vermont, submit to a data-security audit, and file reports with Vermont regarding information security programs for the next two years. Presumably the lower settlement amount in Vermont is attributable to the fact that, as the Press Release stated, 525 Vermonters were affected by the alleged PHI security breach, which may be contrasted to nearly 500,000 Connecticut enrollees that were the subject of the Connecticut Action.
Significantly, the Vermont Action, which was filed in the U.S. District Court for the District of Vermont, unlike the Connecticut Action and the Indiana Action, was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. The Press Release stated that the Vermont Settlement is “Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009.”
So far, state attorneys general have limited their enforcement activity under HIPAA/HITECH to cases where alleged unreasonable and lengthy delays in notifying affected individuals by insurers were present. Insurers may be attractive targets because they are perceived by the public as large, highly profitable and relatively faceless entities. It will be interesting to see when the first lawsuit is filed by an attorney general against a provider, such as a physician practice group or community hospital and what is the basis for such a lawsuit.
In any event, it can be expected that other attorneys general around the country will heighten their investigations of PHI security breaches and seek civil monetary payments under HIPAA/HITECH and/or state law. Perhaps more will even be heard from attorneys general who believe that citizens of their respective states have been affected by the alleged Health Net and/or Wellpoint PHI security breaches.
Prompt, decisive and positive action is required of providers, as well as insurers, to limit potential damages, rehabilitate relations with clients and the public reduce the likelihood of litigation and penalties.