Posted by: Pabrai
Health Net, HIPAA, Lawsuit, Settlement
Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates of a lawsuit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.
Why the Lawsuit?
The lawsuit was the result of the disappearance in May 2009 of an unencrypted hard drive with Protected Health Information (PHI) on 1.5 million members, including 446,000 in Connecticut. Health Net took over six months before notifying impacted individuals.
HIPAA and State Attorney Generals
This was the first lawsuit by a State’s Attorney General since the HITECH Act provided state attorney generals the authority to prosecute HIPAA privacy and security violations.
The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:
1. A $250,000 payment to the state representing statutory damages.
2. An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members
3. A Corrective Action Plan (CAP) in which Health Net is implementing several measures to secure PHI and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.
There have been over 354 million privacy breaches over the past five years in the USA alone. California recently fined five hospitals $675,000 in penalties for failing to prevent unauthorized access to patient medical information.
Organizations must complete a comprehensive and thorough risk analysis to clearly identify security and compliance gaps. Executive management must be provided information on critical gaps and resources as well as the budget required to complete a Corrective Action Plan (CAP) – as was required for Health Net as a result of the law suit.