Health Net of Connecticut Sued for Security Breach

Connecticut Attorney General Richard Blumenthal is suing Health Net of Connecticut over the company’s May 2009 loss of a hard drive holding information on nearly 450,000 enrollees. According to Blumenthal’s office, the complaint filed in U.S. District Court in Hartford marks the first time a state attorney general has invoked new authority under the American Recovery and Reinvestment Act of 2009 to pursue breaches of personal health information. The hard drive disappeared from a Health Net office in Shelton, Conn., on May 14, 2009, and the company failed to notify the attorney general’s office and other state officials, the lawsuit alleges. Blumenthal charges that Health Net, which has about 6.6 million members across the country, did not inform his office or other Connecticut authorities of the missing information, which included 27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence, and medical records. The Attorney General said Health Net waited six months after the breach before posting a notice on its Web site and informing members of the problem on Nov. 30. “Sadly, this lawsuit is historic—involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves —before Health Net notified appropriate authorities and consumers.” “These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft. “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers. “Failing to protect patient privacy blatantly violates federal law and Health Net’s public trust. We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties.” Blumenthal’s lawsuit alleges that Health Net failed to effectively supervise and train its workforce on policies and procedures concerning the appropriate maintenance, use and disclosure of protected health information. Blumenthal’s lawsuit also names UnitedHealth Group Inc. and Oxford Health Plans LLC. While those companies did not cause the data breach, the companies have acquired ownership of Health Net of Connecticut.