On November 8, 2010, Connecticut Insurance Commissioner Thomas Sullivan announced that Health Net of Connecticut, Inc. (“Health Net”) had agreed to pay $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties. The penalties were part of a settlement agreement reached with Health Net pursuant to which Health Net agreed to provide credit monitoring protection for two years to all affected members and providers in Connecticut. Health Net also agreed that the costs related to improvements in data and equipment security it made in response to the data breach will not be passed along to Health Net members.
In May 2009, a portable, external hard disk was lost or stolen from a Health Net facility in Shelton, Connecticut. The disk drive contained medical claims and financial information of nearly 1.5 million Health Net customers, including approximately 500,000 Connecticut residents. As previously reported on our blog, on January 12, 2010, Connecticut Attorney General Richard Blumenthal filed a complaint against Health Net relating to the data breach and Health Net’s “untimely notification” to the Connecticut Insurance Department. A spokesperson for Health Net has indicated that as of November 8, 2010, the company had no evidence of misuse of the lost data.