HARTFORD (CN) – Health Net lost an unencrypted disc drive with personal information about 446,000 customers in Connecticut and failed to report it for 6 months, Connecticut says. “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable,” Attorney General Richard Blumenthal said.
“Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers,” Blumenthal added.
In his federal complaint, Blumenthal said the health insurer lost the portable computer disk drive on May 14, 2009. It contained 27.7 million scanned pages and more than 120 different types of documents.
After learning of the loss, Health Net hired a computer forensic consulting firm that determined the disk drive was not encrypted. Health Net also failed to back it up and was unable to replicate the lost data, according to the complaint. Health Net did not begin notifying customers or state officials until Nov. 30, 2009 – 6 months after discovering that the disk drive was missing, Blumenthal said.
He wants Health Net enjoined from violating the Health Information Insurance Portability and Accountability Act, and ordered to encrypt all its portable health information.
Blumenthal said this is the first time a state attorney general sued under HIPPA’s Health Information Technology Economic and Clinical Health Act.
“Sadly, this lawsuit is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said in a statement. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months – most likely by thieves – before Health Net notified appropriate authorities and consumers.”
Also named as defendants are UnitedHealth Group and Oxford Health Plans. While those companies did not cause the data breach, the companies have acquired ownership of Health Net of Connecticut.