Advertisement
AlertSubscribe to Email Alert
American Medical News

American Medical News

Advanced
 
BUSINESS

Connecticut sues Health Net over data security breach

The insurer becomes the first plan sued under a new law allowing attorneys general to enforce HIPAA privacy laws.

By Emily Berry, amednews staff. Posted Feb. 1, 2010.

  • PRINT|
  • E-MAIL|
  • RESPOND|
  • REPRINTS|
  • Share SHARE Share
  •  

Connecticut Attorney General Richard Blumenthal has filed a lawsuit against California-based Health Net, alleging the company violated federal laws protecting medical records when a portable data drive disappeared.

According to Blumenthal's office, the Jan. 13 lawsuit is the first action by an attorney general acting under the Health Information Technology for Economic and Clinical Health, or HITECH Act (part of the 2009 federal stimulus package) to enforce privacy laws under the Health Insurance Portability and Accountability Act.

"Sadly, this lawsuit is historic -- involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said in a statement.

The lawsuit says the drive contained 27.7 million pages of scanned documents containing information about 446,000 enrollees and their physicians. The data was not encrypted, the lawsuit said, as required by HIPAA and by Health Net's own corporate policy.

UnitedHealth Group, which late last year won approval from state insurance commissioners to take control of Health Net's business in Connecticut, New Jersey and New York, is also named as a defendant in the case.

The missing drive contained information about 446,000 enrollees and their physicians.

Connecticut State Medical Society Executive Vice President Matthew Katz praised the attorney general's action.

"It is such an important issue, because it deals with personal information not only for patients but physician data that was taken," he said.

Katz said he hoped the attorney general's action would force Health Net not only to respond correctly to the breach, but also to adopt new policies to protect sensitive information in the future.

According to Health Net, the lost drive contained medical records dating to 2002 and included information about both members and network physicians in New York, New Jersey and Connecticut.

Health Net claimed the data would have been nearly impossible to decipher without special software owned by Health Net.

In December 2009, citing a report by security firm Kroll prepared for Health Net, Blumenthal publicly disputed Health Net's characterization. Kroll had noted in its report that the data on the drive would be readable using commonly available software, Blumenthal said. He asked federal authorities to investigate.

A week before filing the lawsuit, Blumenthal announced his candidacy for the U.S. Senate seat held by retiring Sen. Christopher Dodd (D, Conn.).

Both the medical society and attorney general have been especially critical of the time it took Health Net to notify anyone of the breach -- the drive disappeared in May 2009, and Health Net did not notify insurance commissioners in four affected states until November 2009. Health Net has said it needed to wait for security consultants to establish exactly what was missing before it reported anything to authorities or to its members.

Health Net said it was reviewing Blumenthal's lawsuit and added, "To date, Health Net has no evidence that there has been any misuse of the data."

Affected physicians and members can contact Health Net to sign up for two years of credit monitoring and credit repair services at no charge. Health Net also offered $1 million of identity theft insurance coverage to affected parties.

Data breaches at other plans

Health Net is not alone in facing fallout from recent data security breaches. In January, Kaiser Permanente announced it had sent letters of apology to 15,500 members in Northern California after an employee's laptop containing sensitive information was stolen from her home.

Meanwhile, BlueCross BlueShield of Tennessee in January released details about what kind of information was stored in hard drives stolen from a former call center facility in October 2009.

The drives contained hundreds of thousands of video and audio recordings of customer service calls. The company announced that as many as 500,000 members' information was contained on the drives, and it offered to pay for credit monitoring services at one of three levels, depending on how much of their personal information was compromised.

Company spokeswoman Mary Thompson said those analyzing the data are still trying to identify what kind of information about physicians would have been in the files and how many might be affected.

The print version of this content appeared in the Feb 8, 2010 issue of American Medical News.

Back to top

 ADDITIONAL INFORMATION: 

Post-breach action plan

The AMA advocates that once a data breach is discovered, health insurers should:

  • Immediately notify physicians of the breach.
  • Offer free credit monitoring and adequate identity theft insurance, from more than one company, for at least 5 years.
  • Publicly report confirmed cases of identity theft related to the data breach.
  • Provide legal protection and indemnification for any losses that result because of the breach.
  • Store personal information of physicians and other health care professionals electronically in encrypted form to reduce the likelihood of a future breach or loss of data.

Source: AMA Practice Management Center (www.ama-assn.org/ama1/pub/upload/mm/368/id-theft.pdf)

Back to top

When plans lose data

Recent data security breaches reported by health plans have left physicians and patients vulnerable to identity theft. Thus far, none of these recent cases has resulted in a report of misuse of identifying information. Among them:

BlueCross BlueShield Assn.: In October 2009, the association disclosed that an employee's laptop containing identifying information about as many as 850,000 physicians had been stolen from the employee's car several weeks earlier. The association offered some affected physicians free credit monitoring.

Health Net: In November 2009, Health Net announced that a portable data drive had "gone missing" from a Connecticut office six months earlier, compromising information for as many as 446,000 current and former members and an unknown number of network physicians in Connecticut, New Jersey and New York.

BlueCross BlueShield of Tennessee: The Blues plan disclosed last year that two hard drives had been stolen from a leased building that had previously been used as a call center. The drives contained audio and video recordings of customer service calls that captured identifying data and medical information for as many as 500,000 members. The company offered three levels of credit monitoring to affected members, depending on what kind of information about them was contained on the drives. (See correction)

Kaiser Permanente: Kaiser announced in January that identifying information for 15,500 patients in Northern California was compromised when a Kaiser employee's laptop was stolen from her car in December 2009. The employee was fired. Kaiser notified authorities and apologized for the incident, but it did not offer credit monitoring services to those affected.

Source: Company news releases

Back to top

Correction

This article incorrectly reported the number of hard drives stolen from a building leased by BlueCross BlueShield of Tennessee in October 2009. The correct number was 57. American Medical News regrets the error.

Back to top

Copyright 2010 American Medical Association. All rights reserved.
RELATED CONTENT
» Health Net data loss second major insurer breach of 2009  Dec. 7, 2009
» 850,000 physicians urged to be on lookout for signs of identity theft  Oct. 19, 2009
 
Advertisement