HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Health Net Fined 55K for Delayed HIPAA Breach Notification

Connecticut-based insurance company – Health Net – is to pay a fine of $55,000 to the Vermont Attorney General’s Office for HIPAA non-compliance and failing to protect the data of the state’s policy holders following a HIPAA data breach that exposed the personal health information of 1.5 million people.

The Health Insurance Portability and Accountability Act (1996) requires all covered entities report security breaches that expose patient data to the Department of Health and Human Services, and breach notifications must also be issued to all affected individuals in a reasonable time frame.

Health Net discovered that a computer hard drive had gone missing from its facilities on May 19, 2009, yet it took the insurer more than 6 months to issue breach notifications to the affected patients. When that notification was finally sent, the 525 Vermont residents affected by the breach were advised that the risk of their data being viewed by unauthorized individuals was low. According to Health Net, “the files on the missing drive were not saved in a format that can be easily accessible.”

However, this suggests that any person in possession of the hard drive would be unlikely to be able to access the files it contained. The Attorney General determined that this was not the case; the data stored on the hard drive was not encrypted nor password protected, and was saved in TIF format; a file that can be opened by a number of widely used computer software programs, many of which can be downloaded free of charge. Online software sites can also easily convert the file into a more familiar format.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The settlement was reached with the Attorney General for failing to secure Protected Health Information of its policy holders which violates HIPAA. The insurer is also alleged to have misinterpreted the risk posed to its policy holders in the breach notification letters it sent and this violated the Consumer Fraud Act. Health Net also violated the Security Breach Notice Act by unnecessarily delaying the issue of breach notification letters to advise the affected persons of the risk of identity theft and fraud. Health Net was required to send notifications “in the most expedient time possible and without unreasonable delay.”

A fine of $375,000 must also be paid to the Connecticut Insurance Department for failing to protect health data and putting the privacy of Connecticut residents at risk. Because the lost/stolen hard drive contained unprotected health information and violated HIPAA, Health Net could also be fined by the Office for Civil Affairs.

In addition to the fines issued, Health Net has agreed to a full data-security audit and it must conduct regular risk assessments and submit reports on its privacy and security procedures to the Attorney General for two years.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.