Health Net Fined Again for BreachVermont Follows Connecticut in Fining Insurer
Vermont Attorney General William Sorrell announced a $55,000 settlement with Health Net for violating both the state's Security Breach Notice Act and HIPAA. The complaint alleged the insurer delayed for six months notifying 525 Vermont consumers of the May 14, 2009, breach and failed to adequately secure the information on the drive. The incident affected 1.5 million people nationwide, including 500,000 in Connecticut.
Earlier Breach FinesLast July, Health Net agreed to pay $250,000 in damages and offer stronger consumer protections to settle a HIPAA civil lawsuit filed in federal court by Connecticut Attorney General Richard Blumenthal, who is now a U.S. Senator.
The federal lawsuit, filed by Blumenthal was the first of its kind filed in the wake of the HITECH Act, which enabled state attorneys general to bring civil action in federal court for violations of the HIPAA security and privacy rules.
In addition to that HIPAA lawsuit settlement, the Connecticut Insurance Department announced last November that it fined the insurer $375,000 for state law violations, primarily stemming from the tardy notifications of consumers about the health information breach.
Breach Incident DetailsThe lost Health Net disk drive included 28 million scanned, unencrypted pages of documents, such as claims and membership forms, appeals, grievances and medical records, according to state documents filed in the cases. Information in the documents included names, addresses, bank account numbers and Social Security numbers.
Under the HITECH Act interim final breach notification rule, which went into effect in September 2009, healthcare organizations must report breaches affecting 500 or more individuals to federal authorities, the media and those affected within 60 days.