Health Net settles with Connecticut over data breach
■ The agreement requires the insurer to adopt new security safeguards and comes at the same time that HHS proposes new data security rules.
By Emily Berry — Posted July 26, 2010
California-based Health Net has agreed to pay $250,000 to the state of Connecticut to settle a lawsuit brought by the state's attorney general, Richard Blumenthal, who sued the company over a large-scale data breach in 2009.
Nothing in the settlement addresses protection of physician data specifically, and it's unclear how much identifying information about network physicians might have been lost along with patient information.
Health Net, which sold its Connecticut business to UnitedHealth Group in December 2009, did not admit any wrongdoing but agreed to adopt new security procedures and to pay the state an additional $500,000 if between now and Nov. 30, 2011, it's determined that the compromised data has been accessed and misused.
A portable terabyte disk drive containing millions of pages of claims information and medical records disappeared from one of Health Net's Connecticut offices in May 2009, leaving the data inside vulnerable.
There had been no signs of any fraud committed with the lost data at the time the agreement was signed in early July.
United and its Northeast subsidiary, Oxford Health Plans, are named parties to the settlement, but Health Net will be responsible for paying the settlement and implementing the new security measures to safeguard member information.
"As the Connecticut attorney general stated, Health Net has worked closely and cooperatively with his office and state regulators to enhance our security systems and controls through additional associate training and education, as well as state-of-the-art security programs," a Health Net company statement about the settlement said.
According to the settlement, identifying information about 1.5 million current and former members was included on the missing drive. Health Net spokesman Brad Kieffer said he didn't know if physicians' identifying information was on the missing drive or how many doctors might be affected.
The company hasn't been up front about the risk the data breach poses to doctors, said Matthew Katz, executive vice president of the Connecticut State Medical Society.
"Anything and everything about a physician could have been on those files, that hard drive, and though the attorney general has provided some certainty and guarantee for patients, he has done nothing -- nor has Health Net -- to demonstrate they are safeguarding physician information."
According to Blumenthal's office, he was the first in the country to pursue a company for violating new federal health information privacy rules adopted as part of the Health Information Technology for Economic and Clinical Health Act, a portion of the 2009 stimulus package that added new federal protections to health information. The new law requires health insurers and others to notify those affected -- and the media -- if more than 500 people are affected by a data breach.
Possible new HHS regulations
The Dept. of Health and Human Services released proposed new rules July 8 strengthening the existing enforcement regulations and emphasizing that "business associates" and other "downstream" vendors are responsible for protecting private information.
"The Health Net incident was being closely watched not only by other HIPAA-covered entities and business associates, but other attorney generals," said Rick Kam, a data security expert who is president and founder of Portland, Ore.-based ID Experts, a data security consulting firm. "It really is the first of this scale that fell under the HITECH Act."
Both members and their physicians could be at risk, despite no signs yet that anyone has used the information, said Tom Oscherwitz, chief privacy officer for San Diego firm ID Analytics, a consulting firm that helps companies prevent and deal with security breaches.
"Fraudsters are very careful about how they use data," he said. Identity thieves sometimes hang on to data for months -- often longer than a year, until typical credit monitoring expires -- before using what they've stolen. The good news, he said, is that public notification of the breach sometimes will discourage thieves.
According to the settlement agreement, Health Net has spent more than $7 million dealing with the incident, and as late as June still was reviewing a reconstructed version of the lost data to identify every person whose information was compromised.
The insurer offered two years of free credit monitoring to anyone whose information was compromised and free credit repair to anyone whose credit is damaged because of the incident.