Health Net Fined Again for Breach

Vermont Follows Connecticut in Fining Insurer
Health Net Fined Again for Breach
Insurer Health Net faces a third fine -- this time from the state of Vermont -- for a 2009 health information breach incident involving a lost unencrypted disk drive.

Vermont Attorney General William Sorrell announced a $55,000 settlement with Health Net for violating both the state's Security Breach Notice Act and HIPAA. The complaint alleged the insurer delayed for six months notifying 525 Vermont consumers of the May 14, 2009, breach and failed to adequately secure the information on the drive. The incident affected 1.5 million people nationwide, including 500,000 in Connecticut.

Earlier Breach Fines

Last July, Health Net agreed to pay $250,000 in damages and offer stronger consumer protections to settle a HIPAA civil lawsuit filed in federal court by Connecticut Attorney General Richard Blumenthal, who is now a U.S. Senator.

The federal lawsuit, filed by Blumenthal was the first of its kind filed in the wake of the HITECH Act, which enabled state attorneys general to bring civil action in federal court for violations of the HIPAA security and privacy rules.

In addition to that HIPAA lawsuit settlement, the Connecticut Insurance Department announced last November that it fined the insurer $375,000 for state law violations, primarily stemming from the tardy notifications of consumers about the health information breach.

Breach Incident Details

The lost Health Net disk drive included 28 million scanned, unencrypted pages of documents, such as claims and membership forms, appeals, grievances and medical records, according to state documents filed in the cases. Information in the documents included names, addresses, bank account numbers and Social Security numbers.

Under the HITECH Act interim final breach notification rule, which went into effect in September 2009, healthcare organizations must report breaches affecting 500 or more individuals to federal authorities, the media and those affected within 60 days.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network