June 8, 2010
SHELTON — Health Net will pay the state at least $250,000 and implement stronger consumer protections to settle allegations the insurer failed to secure medical records, financial information and other private data on more than 440,000 Connecticut members, state officials said Tuesday.
State Attorney General Richard Blumenthal, who sued the company in the wake of a security breach last year, announced the settlement, calling it the first of its kind in the nation. It resolves allegations that Health Net violated the Health Insurance Portability and Accountability Act, commonly known as HIPAA, and state privacy protections regarding personal information such as Social Security numbers and financial information.
Health Net told state officials in November that a portable disk drive containing personal information on 446,000 Connecticut members of the company was missing. In December, Blumenthal said an investigation showed the drive likely was stolen along with two laptops from Health Net’s Northeast office at One Far Mill Crossing.
State officials criticized the company for delaying in reporting the security breach; the information was lost in May 2009, but was not reported until late November. Health Net officials said at the time that, due to the type of files saved on the disk drive, they couldn’t immediately determine what information was on it and had to conduct a lengthy investigation.
Company officials have said special software is needed to read the information contained on the disk drive.
The possibility that the data may have been stolen, as opposed to lost, emerged late last year in an independent report by Kroll Inc., a security company Health Net hired to assess the loss of the disk drive. Health Net officials said, however, the report came to no definitive conclusion about what happened to the data.
On Tuesday, Health Net released a statement that said there is no evidence the data has been misused. “Protecting the privacy of our members is extremely important to us,” the statement said, adding the company is working with Blumenthal’s office and state regulators to enhance its security systems and controls. The company also has offered two years of free credit monitoring services to all affected members who want it, which includes $1 million of identity theft insurance coverage.
Blumenthal called the settlement “sadly historic.”
The company will pay the state $250,000, and will pay an additional $500,000 to the state if it is found that the disk drive has been accessed and its contents used illegally, impacting Health Net members.
In addition, Health Net is taking steps to ensure private data is protected in compliance with HIPAA. Those measures include continued identity theft protection, improved systems controls, better management and oversight methods, improved monitoring methods, and better training for employees.
“More than the money, this settlement sends a strong message to Health Net and all guardians of private health and financial information about their profound responsibilities to protect medical and financial records,” Blumenthal said in a statement. “This settlement provides powerful protections for consumers and payment to taxpayers.”