A health insurer has agreed to pay $250,000 to Connecticut to resolve allegations relating to the loss of a computer disk drive that contained information about 2 million consumers.
Connecticut Attorney General Richard Blumenthal negotiated the settlement with two former subsidiaries of Health Net Inc., Woodland Hills, Calif. (NYSE:HNT) — Health Net of Connecticut Inc. and Health Net of the Northeast Inc.
The settlement also includes UnitedHealth Group Inc., Minnetonka, Minn. (NYSE:UNH), which acquired Health Net’s operations in Connecticut, and Oxford Health Plans, a UnitedHealth subsidiary.
Health Net Inc. is still administering the Connecticut operations for UnitedHealth.
Health Net lost track of a disk drive in May 2009, and there is evidence that the drive may have contained unencrypted Social Security numbers and bank account numbers, Blumenthal alleged in the suit filed in January.
Health Net of Connecticut began telling policyholders about the loss of the drive in November 2009, without letting Connecticut authorities know that the drive had disappeared, Blumenthal alleged in the suit.
Blumenthal is now praising the settling companies for accepting responsibility for the data breach and cooperating with efforts to resolve the matter.
“This settlement sends a strong message to Health Net and all guardians of private health and financial information about their profound responsibilities to protect medical and financial records,” Blumenthal says.
So far, there is no evidence that anyone has misused data from the missing Health Net of Connecticut disk drive, Blumenthal says.
Health Net has issued a statement emphasizing the lack of evidence that personal information has been misused and noting that Blumenthal has described the company as working cooperatively with state regulators.
“Protecting the privacy of our members is extremely important to us,” Health Net says.
The improvements in security systems, security programs and training made since Health Net of Connecticut began working with Connecticut regulators “will result in Health Net being in the forefront of securing member health information,” the company says.
The federal Health Information Technology for Economic and Clinical Health (HITECH) Act lets state attorneys general enforce the health data protection provisions in the Health Insurance Portability and Accountability Act of 1996.
The Connecticut settlement agreement resolves allegations that Health Net violated the HIPAA data protection rules as well as allegations that the company violated state personal and financial data privacy protection rules, Blumenthal says.
The settlement is the first of its kind that a state attorney general has negotiated since HITECH authorized state attorney generals to enforce the HIPAA provisions, Blumenthal says.
THE SETTLEMENT AGREEMENT
In addition to paying Connecticut $250,000, Health Net has agreed to:
- Implement a “corrective action plan” designed to improve protection of health information and other private data.
- Pay $500,000 more to Connecticut “should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.”
- Offer 2 years of free credit monitoring services for all affected plan members who want the service. The credit monitoring service will provide $1 million in identity theft insurance coverage and enrollment in fraud resolution services for 2 years, if needed.
- Provide extra protection against cases of identity theft occurring between May 2009 and the date the credit monitoring service program takes effect.
“If members experience any identity theft between May 2009 and the date of their enrollment in the service, Health Net will provide services to restore the member’s identity at no cost to the member,” Health Net says.