Health Net Sued By Connecticut Attorney General – Someone’s Enforcing HIPAA For A Change
Posted Jan 13 2010 4:34pm
HIPAA has to be the best almost non enforced set of provisions to ever hit the law books, and on the same subject, the least prosecuted and attempts to bring to justice, but that is the case no longer as the Attorney General gets ready to sue Health Net for the security breach of recent. One thing HeatlhNet did right was to bring the forensics in from Kroll, they are good and have offices all over the US, so keep that tucked away and hopefully you will never need their services.
Also, the attorney general is still looking at the HealthNet acquisition of United Healthcare patients in Connecticut, as in other states, there are issues with lack of competition for consumers.
Healthnet still has other legal issues hanging over their head too with the Ingenix data base that they just finally quit using this summer. There’s a ton of lawsuits in progress and perhaps more taking place over the data base that over charged patients and cut payments to doctors for 8-9 years for out of network services.
As always in theft cases, it was data that was not stored on a secured server, but rather on a portable computer or drive. BD
Health Net is being sued by Attorney General Richard Blumenthal for allegedly failing to secure patients' medical records and not promptly notifying consumers of a massive security breach. The health insurer, which has a Northeast headquarters in Shelton, had a portable, external hard drive go missing in May, though it's not clear if it was lost or stolen. The company reported the lost records in November after a six-month internal investigation. The drive contained medical claims and financial information of up to 1.5 million customers, mostly in the Northeast, dating to 2002, including 446,000 in Connecticut. Information on the drive is stored as images that require specialized software to open, but is not encrypted. Blumenthal's office said the lost records are a violation of HIPAA, the Health Insurance Portability and Accountability Act of 1996, and is seeking a court order to require the company to encrypt all information placed on a portable device. The attorney general's office says this is believed to be the first instance in which a state attorney general has enforced HIPAA since state attorneys general were given that right through the Health Information Technology for Economic and Clinical Health Act of 2009.
Health Net officials hired an independent computer company, Kroll, to assess the amount and nature of the information on the hard drive. When the results of that research were in, the company reported the data breach. Last month, the attorney general's office said Kroll determined that two laptops were stolen from Health Net's Shelton facility around the same time the hard drive went missing.