Conn. AG, Health Net reach $250K settlement over large security breach

Mary Stevens | | Health Exec | Precision Medicine
Health Net and its affiliates have reached a settlement with the Connecticut Attorney General (AG) Richard Blumenthal over Health Net’s failure to secure private patient medical records and financial information on nearly half a million Connecticut enrollees and promptly notify consumers endangered by the breach.

Under the terms of the settlement, Health Net will provide protections for consumers and will also make a $250,000 payment to the state. This marks the first action by a state attorney general for violations of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) since the Health IT for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA, according to Blummenthal's office.

Blumenthal sued after Health Net allegedly lost a computer disk drive in May 2009 containing protected health and other private information on more than 500,000 Connecticut citizens and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information.

Blumenthal said that the company delayed notifying consumers and law enforcement authorities, and that an investigation by a Health Net consultant concluded the disk drive was likely stolen.

The settlement involves Health Net of the Northeast, Health Net of Connecticut and parent companies, UnitedHealth Group and Oxford Health Plans.

Under this settlement, Health Net and its affiliates have agreed to:
  1. A “Corrective Action Plan” in which Health Net implements detailed measures to protect health information and other private data in compliance with HIPAA. The plan includes continued identity theft protection; improved systems controls; improved management and oversight structures; improved training and awareness for its employees; and improved incentives, monitoring and reports.
  2. A $250,000 payment to the state representing statutory damages. The payment is intended as a future deterrent to such conduct not only by Health Net, but by other insurers and healthcare entities that are entrusted with individuals’ private information.
  3. An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

Mary Stevens

Related Content

Pitching the business case for 3D printing labs in radiology
FDA issues first-ever clearance for OTC oximeter
Augmented reality company secures $15M in funding from Cleveland Clinic, Mayo, GE Healthcare and more
Merck to acquire Prometheus Biosciences for $10.8B
Johnson & Johnson scraps RSV vaccine after trial
Intermountain Health launches new biotech company

Around the web

Cardiovascular Business
Payment cuts and beyond: Key takeaways for cardiologists from the 2025 Medicare Physician Fee Schedule

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

AI in Healthcare
A modest proposal to rally AI regulators around a simple game plan

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

Cardiovascular Business
FDA commissioner urges clinicians to join fight against medical misinformation

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Design by Adaptive Theme
Trimed Popup
Trimed Popup