A Northeastern health plan took months to warn policyholders about the loss of unencrypted health and financial information about 446,000 enrollees, an official says.
Connecticut Attorney General Richard Blumenthal, a Democrat who is running for the Senate, has filed a suit against Health Net of Connecticut Inc., Shelton, Conn., in the U.S. District Court in Hartford.
The federal Health Information Technology for Economic and Clinical Health Act now gives state attorneys general the authority to enforce the health data protection provisions in the Health Insurance Portability and Accountability Act of 1996.
Blumenthal is seeking a court order that would require Health Net of Connecticut to encrypt any personal health information stored on portable electronic devices.
In May 2009, Health Net of Connecticut learned that it had lost portable computer disk drive that contained health information, Social Security numbers, and bank account numbers for hundreds of thousands of past and present enrollees, Blumenthal says.
Health Net posted a notice about the breach in November 2009, and began sending letters about the breach starting Nov. 30, 2009, Blumenthal alleges.
Blumenthal alleges that Health Net failed to promptly notify his office or other Connecticut authorities about the loss of the disk drive.
A consulting firm determined that the data lost was not encrypted or otherwise protected from access, Blumenthal alleges.
Since the alleged data breach took place, UnitedHealth Group Inc., Minnetonka, Minn., has acquired Health Net of Connecticut. Blumenthal has named UnitedHealth and a UnitedHealth unit, Oxford Health Plans L.L.C., as defendants.
Health Net of Connecticut has issued a statement saying that protecting members' privacy is extremely important to the company.
"Health Net's company policy states that data must be encrypted and secured," the company says in the statement. "Health Net has just received a copy of the lawsuit and is in the process of reviewing it. We will continue to work cooperatively with the Connecticut attorney general on this matter."
So far, Health Net has no evidence that anyone has misused any enrollees' data, the company says.
"Health Net is offering 2 years of free credit monitoring services for all impacted members who elect this service," the company says. "This service also includes $1 million of identity theft insurance coverage and enrollment in fraud resolution services for 2 years, if needed. Additionally, if members experience any identity theft between May 2009 and the date of their enrollment, Health Net will provide services to restore the member's identity at no cost to the member."
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.