Share this article on:
Connecticut-based insurance company – Health Net – is to pay a fine of $55,000 to the Vermont Attorney General’s Office for HIPAA non-compliance and failing to protect the data of the state’s policy holders following a HIPAA data breach that exposed the personal health information of 1.5 million people.
The Health Insurance Portability and Accountability Act (1996) requires all covered entities report security breaches that expose patient data to the Department of Health and Human Services, and breach notifications must also be issued to all affected individuals in a reasonable time frame.
Health Net discovered that a computer hard drive had gone missing from its facilities on May 19, 2009, yet it took the insurer more than 6 months to issue breach notifications to the affected patients. When that notification was finally sent, the 525 Vermont residents affected by the breach were advised that the risk of their data being viewed by unauthorized individuals was low. According to Health Net, “the files on the missing drive were not saved in a format that can be easily accessible.”
However, this suggests that any person in possession of the hard drive would be unlikely to be able to access the files it contained. The Attorney General determined that this was not the case; the data stored on the hard drive was not encrypted nor password protected, and was saved in TIF format; a file that can be opened by a number of widely used computer software programs, many of which can be downloaded free of charge. Online software sites can also easily convert the file into a more familiar format.
The settlement was reached with the Attorney General for failing to secure Protected Health Information of its policy holders which violates HIPAA. The insurer is also alleged to have misinterpreted the risk posed to its policy holders in the breach notification letters it sent and this violated the Consumer Fraud Act. Health Net also violated the Security Breach Notice Act by unnecessarily delaying the issue of breach notification letters to advise the affected persons of the risk of identity theft and fraud. Health Net was required to send notifications “in the most expedient time possible and without unreasonable delay.”
A fine of $375,000 must also be paid to the Connecticut Insurance Department for failing to protect health data and putting the privacy of Connecticut residents at risk. Because the lost/stolen hard drive contained unprotected health information and violated HIPAA, Health Net could also be fined by the Office for Civil Affairs.
In addition to the fines issued, Health Net has agreed to a full data-security audit and it must conduct regular risk assessments and submit reports on its privacy and security procedures to the Attorney General for two years.