Coalition of States Demands Answers About Google Street View

Posted on July 22, 2010 by Hunton & Williams LLP

On July 21, 2010, a coalition of 38 states sent a letter to Google demanding more information about the company’s collection of data from unsecured wireless networks by its Google Street View vehicles.  The letter was sent by Connecticut Attorney General Richard Blumenthal on behalf of the executive committee of a multistate working group investigating Google Street View practices.  As we reported on June 22, Blumenthal has spearheaded the nationwide investigation into Google Street View.  Among other things, the letter asks Google to identify who was responsible for the software code that allowed the Street View cars to collect data broadcast over Wi-Fi networks, and for a list of states where unauthorized data collection occurred.  The letter also asks Google for details regarding whether any of the data was disclosed to third parties or used for marketing purposes.

In his press release, Attorney General Blumenthal raised the specter of legal action against Google, noting that “[o]ur multistate investigation will determine whether laws were broken and whether legislation is necessary to prevent future privacy breaches” and “we will take all appropriate steps—including potential legal action if warranted—to obtain complete, comprehensive answers.”  The letter requested a response from Google by July 23, 2010.

Data protection authorities in the EU also are investigating Google Street View.
Tags: , , , , , , ,

Connecticut Attorney General to Lead Multistate Investigation into Google

Posted on June 22, 2010 by Hunton & Williams LLP

Connecticut Attorney General Richard Blumenthal recently announced that his office will lead a multistate investigation into the “deeply disturbing” unauthorized collection of personal data from wireless computer networks by Google’s Street View cars.  Attorney General Blumenthal noted that Google “must provide a complete and comprehensive explanation of how this unauthorized data collection happened, why the information was kept if collection was inadvertent and what action will prevent a recurrence.”  A significant number of states are expected to participate in the investigation. 

Blumenthal’s press release is available on the Connecticut Attorney General’s website.
 

Tags: , , , , , , ,

Attorney General Launches New HIPAA Investigation

Posted on April 1, 2010 by Hunton & Williams LLP

The Attorney General of Connecticut, Richard Blumenthal, is investigating an alleged breach of medical records at Griffin Hospital in Derby, Connecticut.  The hospital believes that a formerly affiliated radiologist gained unauthorized access to its digital Picture Archiving and Communications System (“PACS”), which stores patient information, including names, exam descriptions and medical record numbers.  In February, the hospital began receiving inquiries from patients who had been contacted by the radiologist to promote professional services offered at another medical facility.  In response to patient inquiries, the hospital conducted an internal investigation that revealed several instances of unauthorized access to the PACS system.  The hospital subsequently notified Attorney General Blumenthal.

In a statement, the Attorney General indicated that “unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce” and that he would “seek strong and significant sanctions, if warranted by the facts.”

Passed as part of the economic stimulus legislation in 2009, the HITECH Act authorizes state attorneys general to enforce HIPAA.  Attorney General Blumenthal was the first state attorney general to file a suit pursuant to this HITECH Act enforcement authority.  For more information on the first HITECH Act suit, please see our previous blog post
Tags: , , , , , , , ,

Connecticut AG Files First HITECH Act Suit

Posted on January 15, 2010 by Hunton & Williams LLP

In a lawsuit he described as “[s]adly . . . historic,” Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. for allegedly failing to secure private patient medical records and financial information involving hundreds of thousands of Connecticut enrollees and promptly notify consumers endangered by the security breach.  The case marks the first action by a state attorney general under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to enforce provisions of the Health Insurance Portability and Accountability Act (“HIPAA”).  The suit also alleges a violation of Connecticut’s breach notification statute.

The complaint, filed January 12, 2010, alleges that on or about May 14, 2009 Health Net learned that a portable disk drive had disappeared from one of its offices.  The disk contained unencrypted protected health information, social security numbers and bank account numbers for approximately 1.5 million past and present enrollees, including 446,000 Connecticut residents.  Health Net did not begin notifying affected individuals until November 2009.

On January 13, 2010, the Attorney General filed a motion for a preliminary injunction.  The proposed injunction mandates that Health Net and related defendants (i) comply with the privacy, security and other requirements of HIPAA; (ii) take corrective action and make “all efforts” to protect affected citizens against identity theft and other harm; and (iii) conduct “effective training of all members of their respective workforces (including independent contractors) on the policies and procedures with respect to protected health information, and personal information as defined under state law, regarding the requirements of federal and state law.”
Tags: , , , , , , , ,

Connecticut Attorney General Investigation Sheds Light on Meaning of "Unreasonable Delay" in Data Breach Context

Posted on November 13, 2009 by Hunton & Williams LLP

On November 9, 2009, Connecticut’s Attorney General, Richard Blumenthal, announced an investigation of whether Blue Cross and Blue Shield (“BCBS”) violated Connecticut’s data breach notification law by waiting until two months after a data breach had occurred to notify affected Connecticut residents.  The data breach, which Attorney General Blumenthal called “one of the most sizable and significant in Connecticut’s history,” involved the theft of a laptop containing confidential unencrypted data from the car of a BCBS employee in late August.  BCBS notified affected Connecticut residents of the breach in late October.

The data contained on the stolen laptop included the names, addresses and Taxpayer Identification Numbers of approximately 19,000 health care providers in Connecticut.  The breach also involved thousands of Social Security numbers (“SSNs”), since an estimated 16-22% of individual health care providers use their SSNs as Taxpayer Identification Numbers.  BCBS confirmed that the breach did not involve any medical information or patient information.

Connecticut’s data breach notification law requires any person who “conducts business in” Connecticut and who “owns, licenses or maintains computerized data that includes personal information” to disclose any breach of security to affected Connecticut residents “without unreasonable delay.”  Attorney General Blumenthal is requesting more details from BCBS about the breach, including a list of impacted health care providers, the credit monitoring services and other protections that BCBS is offering those providers, as well as BCBS’s policies and procedures for responding to data breaches.  He noted that failure to comply with Connecticut’s data breach notification law constitutes an unfair trade practice that may subject BCBS to fines of up to $5,000 for each Connecticut resident affected by the breach and require BCBS to provide restitution to those affected residents.
Tags: , , , , , ,