Last week, Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut (Health Net), which is part of Health Net, Inc., a multi-state managed care company, for violations of the Health Insurance Portability and Accountability Act (HIPAA). Health Net was accused of failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and to promptly notify consumers endangered by the security breach. Pursuant to a section of the economic stimulus bill, state attorneys general are able to bring actions to enforce HIPAA, and it is believed that this is the first such action.
The lawsuit stems from the disappearance in 2009 of a portable computer disk drive from Health Net's offices. The drive contained protected health information, social security numbers and bank account numbers for 1.5 million current and former members, including 446,000 in Connecticut. The drive contained millions of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records. The information was not encrypted and could be viewed using commonly available software.
The complaint alleges that Health Net violated HIPAA because it did not ensure the confidentiality and integrity of Protected Health Information (PHI); supervise and train its workforce on policies and procedures concerning the appropriate maintenance, use and disclosure of PHI; and promptly notify Connecticut authorities and residents of the breach. According to the complaint, Health Net discovered the breach in May 2009 but did not notify affected consumers until nearly six months later.
It is expected that other attorneys general will utilize the HIPAA enforcement powers granted under the Health Information Technology for Economic and Clinical Health (HITECH) Act. This case underlies the importance of all entities covered by HIPAA not only to take actions that ensure encryption and other safeguards are used, but also to maintain robust data breach policies and procedures and provide training on how to respond in the event of a data breach.