Thursday, January 14, 2010
Health Net Sued for HIPAA Violations
Connecticut Attorney General Richard Blumenthal has filed a lawsuit charging Health Net of Connecticut Inc. with violations of the HIPAA privacy and security rules following a large breach of identifiable medical records and Social Security numbers.
Blumenthal's office believes this is the first lawsuit by a state's chief legal officer since the HITECH Act last year gave state attorneys general authority to prosecute HIPAA privacy and security violations.
Parent company Health Net in Los Angeles last November reported to insurance officials in four states the disappearance in May of a hard drive with protected health information on 1.5 million members, including 446,000 in Connecticut. The data was not encrypted, but Health Net said it is invisible without the use of specific software. The company attributed the delay in reporting the breach to a lengthy forensic investigation to determine what information was on the hard drive.
In the lawsuit, Blumenthal charges Health Net did not have adequate legal grounds to delay notifying members of the breach and that the delay constituted an unfair trade practice under state law. "Under information and belief, no law enforcement agency determined that the notification to affected Connecticut residents would have impeded a criminal investigation and requested that the notification be delayed," according to the suit.
Blumenthal is seeking a court order blocking Health Net from further HIPAA violations and requiring encryption of all protected health information on portable electronic devices. He also seeks civil fines.
New federal rules mandated under the HITECH Act require "timely" notification of certain breaches of health information. The rules were effective in September and have a compliance deadline of Feb. 22, 2010. healthdatamanagement