Health Net data breach prompts attorney general’s “historic lawsuit”
Connecticut Attorney General Richard Blumenthal said last November that he was “outraged and appalled” upon learning of Health Net’s massive data breach and their keeping it hush-hush for six months. He acted on those feelings this week by filing suit against the insurer and its new owners, United Health Group and Oxford Health Plans.
The data breach occurred May 2009 when a hard drive containing the information of 1.5 million customers went missing. Records were for the period 2002 through 2009. Roughly 446,000 of the members are from Connecticut.
Blumenthal’s lawsuit asserts Health Net gave its employees inadequate supervision and training on appropriate maintenance, use and disclosure of protected health information.
The company explained the six-month lag time between their awareness of the breach and their notifying state officials by saying the time was necessary to complete a “detailed forensic review.” Kroll, a computer forensic consulting firm hired to complete the investigation determined the information wasn’t encrypted or protected in any way from access or viewing.
The unsecured data included a total of 27.7 million scanned pages of 20 types of documents such as insurance claims forms and medical records. Members’ Social Security numbers, names, birth dates, prescription information, credit card numbers and bank account numbers were exposed.
Blumenthal also alleges Health Net violated the Health Insurance Portability and Accountability Act (HIPAA) by not encrypting medical information stored on a portable electronic device.
“Sadly, this lawsuit is historic—involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said in a statement.
Regarding the lawsuit, a Health Net spokesman said only that they’ve received a copy of the lawsuit and are reviewing it, and that they “will continue to work cooperatively with the Connecticut Attorney General on this matter.”
The company issued a statement in November when they notified the public of the data breach. In it they said, “Protecting the privacy of our members is extremely important to us. We apologize for any inconvenience or concern this may cause our members.”
Tags: Connecticut Attorney General Richard Blumenthal, Data breach, Health Net, HIPAA, ID theft, Identity Theft, Medical Identity Theft, Oxford Health Plan, United Health Group
