Connecticut Attorney General First to Take Action for HIPAA Violations

The Connecticut Attorney General, Richard Blumenthal, has announced that a settlement has been reached with healthcare provider, Health Net, over violations of the Health Insurance Portability and Accountability Act (HIPAAA).

The Connecticut AG is the first to exercise the right to enforce HIPAA since the power to do so was given to AGs following amendments to HIPAA brought about by the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH).

Health Net was fined £250,000 for failing to implement adequate controls to protect the health data of its patients and for violations of Breach Notification Rules. Legal action was taken against Health Net following the loss of an unencrypted disc drive in May 2009 which exposed the data of 1.5 million Americans, 446,000 of which were Connecticut residents. The incident exposed Social Security Numbers, financial information and personal identifiers, with the subsequent investigation concluding that the drive was most likely stolen.

In addition to the fine, Health Net has been ordered to provide two years of credit monitoring services to all affected individuals to mitigate any loss, damage or risk of identity and medical theft. It is also required to provide reimbursement for the cost of security freezes and pay $1 million to cover identity theft insurance. The $250,000 fine is for statutory damages and is payable to the state, although should any of the data be used for illegal purposes which impacts any of Health Net’s members, it will also be required to pay the state an additional $500,000 in damages.

The announcement of the settlement marks the end of 18 month of legal action. The complainant noted that the efforts of Health Net to remedy the situation have exceeded $7,000,000; when the cost of the investigation, credit monitoring services, insurance and the issuing of the breach notification letters are taken into consideration.

The settlement includes an action plan which must be undertaken to implement a number of new security measures to bring the organization into line with HIPAA regulations, as well as to ensure that all Protected Health Information is secured. These measures include new control systems, better risk management, protection against identify theft, new training for employees and a number of monitoring and reporting requirements. The settlement applies to Health Net Northeast Inc., Health Net of Connecticut Inc, United Health Group Inc and Oxford Health Plans.

According to Blumenthal, “This settlement is sadly historic – involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA,” he went on to say “These missing medical records included some of the most personal, intimate patient information – exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft. This settlement provides powerful systemic protections for consumers and payment to taxpayers.”

The Attorney General is sending a strong message to all HIPAA -covered entities in the state that violations of privacy, security and breach notification rules will not be tolerated and organizations who violate state and federal legislation will be held accountable for their actions; or lack of them. The AG believes Protected Health Information of patients must always be kept private and confidential and HIPAA regulations must be followed as a minimum standard.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.