Health Net data breach prompts attorney general’s “historic lawsuit”

Connecticut Attorney General Richard Blumenthal said last November that he was “outraged and appalled” upon learning of Health Net’s massive data breach and their keeping it hush-hush for six months. He acted on those feelings this week by filing suit against the insurer and its new owners, United Health Group and Oxford Health Plans.

The data breach occurred May 2009 when a hard drive containing the information of 1.5 million customers went missing. Records were for the period 2002 through 2009. Roughly 446,000 of the members are from Connecticut.

Blumenthal’s lawsuit asserts Health Net gave its employees inadequate supervision and training on appropriate maintenance, use and disclosure of protected health information.

The company explained the six-month lag time between their awareness of the breach and their notifying state officials by saying the time was necessary to complete a “detailed forensic review.” Kroll, a computer forensic consulting firm hired to complete the investigation determined the information wasn’t encrypted or protected in any way from access or viewing.

The unsecured data included a total of 27.7 million scanned pages of 20 types of documents such as insurance claims forms and medical records. Members’ Social Security numbers, names, birth dates, prescription information, credit card numbers and bank account numbers were exposed.

Blumenthal also alleges Health Net violated the Health Insurance Portability and Accountability Act (HIPAA) by not encrypting medical information stored on a portable electronic device.

“Sadly, this lawsuit is historic—involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said in a statement.

Regarding the lawsuit, a Health Net spokesman said only that they’ve received a copy of the lawsuit and are reviewing it, and that they “will continue to work cooperatively with the Connecticut Attorney General on this matter.”

The company issued a statement in November when they notified the public of the data breach. In it they said, “Protecting the privacy of our members is extremely important to us. We apologize for any inconvenience or concern this may cause our members.”

Bookmark It

Hide Sites

Imagine you receive a collections notice from a hospital 1,000 miles away … in a city you’ve never visited … for a surgery you’ve never had … for a health problem you don’t have … and the notice says you owe more money than your house is worth.

You have to take immediate action, but be warned: Whoever had the surgery might be recovering better than you will.

Start with the financial impact.

Step 1. Place a fraud alert on your credit reports, and review your credit reports.
Step 2. Close your credit card accounts and open new ones with new PINs and passwords. Talk to the fraud department with each company.
Step 3. File a complaint with the Federal Trade Commission and print copies of your FTC ID Theft Complaint Form.
Step 4. File a report with your local law enforcement. Ask them to incorporate the FTC Complaint Form.

Correcting errors in your medical records will be harder, and might be impossible. Worse still, misinformation in your file might be life threatening. The same HIPAA (Health Insurance Portability and Accountability Act) Act intended to protect your medical privacy might work against you because once you indicate that someone else’s medical information is in your file, his or her privacy must also be protected.

Also, any medical providers who didn’t put the erroneous information in your records are not obligated to correct it, nor are insurance companies.

The information in your record might have been sent to a laboratory, a surgeon, a medical specialist, a medical imaging center, an insurance company, a hospital, an anesthesiologist, a home health provider, a physical therapist and a pharmacy.

Patients with primary care doctors with whom they have a good relationship might find them to be their best ally because all medical information should be copied to their offices.

You’re definitely going to need an ally.

Visit LifeLock.com to learn more about the comprehensive services they’re providing to nearly 1.5 million members. Enroll using the LifeLock promotion code DEFENSE and pay only $9 a month.

Bookmark It

Hide Sites