Connecticut Security Breach Lawsuit

Date:  01/13/2010 (Date of Filing)

Misconduct Type:  Consumer Affairs

Enforcement Agency:  State/Local

Contracting Party:  None

Court Type:  Civil

Amount:  $650,000

Disposition:  Settlement

Synopsis:  Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut over the company's loss of a hard drive holding the personal information of 446,000 enrollees. The hard drive disappeared from a Health Net office in Shelton, Conn., on May 14, 2009. The lawsuit alleged the company failed to encrypt the data and failed to promptly notify state officials after learning of the hard drive’s disappearance. In July 2010, Health Net and its affiliates paid $250,000 in fines to settle the lawsuit. Health Net also agreed to implement a “corrective action plan” to better protect health information and other private data in compliance with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Should it be established that the hard drive was accessed and personal information was used illegally, Health Net will be required to pay the state an additional $500,000. In November 2010, the Connecticut Insurance Department (CID) fined Health Net $375,000 for the breach. CID levied the fine because it believed Health Net did not notify authorities and members in a timely manner. In July 2012, Health Net agreed to pay an additional $25,000 after CID found that Health Net did not “exhibit evidence of good management,” conform to state confidentiality laws, or fully safeguard the personal information of approximately 24,000 members.