Health Net settles with Connecticut over data breach

The agreement requires the insurer to adopt new security safeguards and comes at the same time that HHS proposes new data security rules.

By — Posted July 26, 2010

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

California-based Health Net has agreed to pay $250,000 to the state of Connecticut to settle a lawsuit brought by the state's attorney general, Richard Blumenthal, who sued the company over a large-scale data breach in 2009.

Nothing in the settlement addresses protection of physician data specifically, and it's unclear how much identifying information about network physicians might have been lost along with patient information.

Health Net, which sold its Connecticut business to UnitedHealth Group in December 2009, did not admit any wrongdoing but agreed to adopt new security procedures and to pay the state an additional $500,000 if between now and Nov. 30, 2011, it's determined that the compromised data has been accessed and misused.

A portable terabyte disk drive containing millions of pages of claims information and medical records disappeared from one of Health Net's Connecticut offices in May 2009, leaving the data inside vulnerable.

There had been no signs of any fraud committed with the lost data at the time the agreement was signed in early July.

United and its Northeast subsidiary, Oxford Health Plans, are named parties to the settlement, but Health Net will be responsible for paying the settlement and implementing the new security measures to safeguard member information.

"As the Connecticut attorney general stated, Health Net has worked closely and cooperatively with his office and state regulators to enhance our security systems and controls through additional associate training and education, as well as state-of-the-art security programs," a Health Net company statement about the settlement said.

According to the settlement, identifying information about 1.5 million current and former members was included on the missing drive. Health Net spokesman Brad Kieffer said he didn't know if physicians' identifying information was on the missing drive or how many doctors might be affected.

The company hasn't been up front about the risk the data breach poses to doctors, said Matthew Katz, executive vice president of the Connecticut State Medical Society.

"Anything and everything about a physician could have been on those files, that hard drive, and though the attorney general has provided some certainty and guarantee for patients, he has done nothing -- nor has Health Net -- to demonstrate they are safeguarding physician information."

According to Blumenthal's office, he was the first in the country to pursue a company for violating new federal health information privacy rules adopted as part of the Health Information Technology for Economic and Clinical Health Act, a portion of the 2009 stimulus package that added new federal protections to health information. The new law requires health insurers and others to notify those affected -- and the media -- if more than 500 people are affected by a data breach.

Possible new HHS regulations

The Dept. of Health and Human Services released proposed new rules July 8 strengthening the existing enforcement regulations and emphasizing that "business associates" and other "downstream" vendors are responsible for protecting private information.

"The Health Net incident was being closely watched not only by other HIPAA-covered entities and business associates, but other attorney generals," said Rick Kam, a data security expert who is president and founder of Portland, Ore.-based ID Experts, a data security consulting firm. "It really is the first of this scale that fell under the HITECH Act."

Both members and their physicians could be at risk, despite no signs yet that anyone has used the information, said Tom Oscherwitz, chief privacy officer for San Diego firm ID Analytics, a consulting firm that helps companies prevent and deal with security breaches.

"Fraudsters are very careful about how they use data," he said. Identity thieves sometimes hang on to data for months -- often longer than a year, until typical credit monitoring expires -- before using what they've stolen. The good news, he said, is that public notification of the breach sometimes will discourage thieves.

According to the settlement agreement, Health Net has spent more than $7 million dealing with the incident, and as late as June still was reviewing a reconstructed version of the lost data to identify every person whose information was compromised.

The insurer offered two years of free credit monitoring to anyone whose information was compromised and free credit repair to anyone whose credit is damaged because of the incident.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story