Over 1750 Total Lots Up For Auction at Five Locations - NJ Cleansweep 05/02, TX 05/03, TX 05/06, NJ 05/08, WA 05/09

Spanish Spanish

Connecticut Sues Insurer Health Net for Protected Health Data Loss

by Astrid Fiano, DOTmed News Writer | January 20, 2010
Share
A large health
data security
breach alleged
The State of Connecticut has filed a federal lawsuit against Health Net of the Northeast, Inc., Health Net of Connecticut, Inc. (Health Net) accusing Health Net of losing an unencrypted disk drive with protected health and personal information of about 446,000 customers in Connecticut. This action is the first by a state attorney that involves violation of the Health Information Portability and Accountability Act (HIPAA) since the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 authorized state attorneys general to enforce HIPAA violations. The defendants also include United Health Group Inc., and Oxford Health Plans, LLC, who recently acquired Health Net.

According to the allegations in the complaint, in May of 2009 Health Net learned that a portable computer disk drive (transported between California and Connecticut) that contained protected health information, social security numbers, and bank account numbers for around 446,000 past and present Connecticut enrollees disappeared from the company's Shelton, CT office. The complaint goes on to say that Health Net delayed and otherwise failed to properly inform the state attorney general's office, the Connecticut Department of Insurance, Department of Consumer Protection or any other government agency authority of the missing drive and its health and private information. The company subsequently learned that the unencrypted disk drive contained 27.7 million scanned pages of over 120 different types of documents including insurance claims forms, membership forms, appeals and grievances, correspondence and medical records.

The complaint says that Health Net decided to not encrypt the data prior to its loss in disregard of federal law requirements, and also did not create a log file of the collection and transfer of the data that was included on the disk drive. This lack of a log file created further problems by increasing the risk of disclosure of the protected health information because the information on the disk drive was not readily available. Health Net then replicated the entire creation of the disk drive, which the complaint alleges delayed efforts to mitigate the data breach.

Health Net allegedly did not notify the Connecticut residents whose private information may have been compromised through the breach, until it posted a notice on its website on November 18, 2009 and began sending letters in a rolling mailing on November 30, 2009.
Sign up for Weekly Top stories

Sign up for Weekly Top stories

 

advertisement

More Industry Headlines

Varian to install Halcyon system at radiation therapy center in Saudi Arabia
RCM company Ensemble Health Partners expands AI capabilities with Microsoft
Elekta recalls biopsy needle kits due to contamination risk
Mobile CT program in NYC shows promise in boosting lung cancer screening in urban settings
McLeod Health breaks ground on $56 million South Carolina hospital
FDA puts Philips on notice for CT and ultrasound manufacturing facility
Canon Medical installs its third photon-counting CT
Through Edgility acquisition ABOUT aims for end-to-end AI-driven patient flow
Private equity pushes wave of healthcare bankruptcies
Can the EU Data Act help solve US right to repair issues?