Connecticut AG Files First HITECH Act Suit

Posted on January 15, 2010 by Hunton & Williams LLP

In a lawsuit he described as “[s]adly . . . historic,” Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. for allegedly failing to secure private patient medical records and financial information involving hundreds of thousands of Connecticut enrollees and promptly notify consumers endangered by the security breach.  The case marks the first action by a state attorney general under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to enforce provisions of the Health Insurance Portability and Accountability Act (“HIPAA”).  The suit also alleges a violation of Connecticut’s breach notification statute.

The complaint, filed January 12, 2010, alleges that on or about May 14, 2009 Health Net learned that a portable disk drive had disappeared from one of its offices.  The disk contained unencrypted protected health information, social security numbers and bank account numbers for approximately 1.5 million past and present enrollees, including 446,000 Connecticut residents.  Health Net did not begin notifying affected individuals until November 2009.

On January 13, 2010, the Attorney General filed a motion for a preliminary injunction.  The proposed injunction mandates that Health Net and related defendants (i) comply with the privacy, security and other requirements of HIPAA; (ii) take corrective action and make “all efforts” to protect affected citizens against identity theft and other harm; and (iii) conduct “effective training of all members of their respective workforces (including independent contractors) on the policies and procedures with respect to protected health information, and personal information as defined under state law, regarding the requirements of federal and state law.”
Tags: , , , , , , , , , , ,

Connecticut Attorney General Investigation Sheds Light on Meaning of "Unreasonable Delay" in Data Breach Context

Posted on November 13, 2009 by Hunton & Williams LLP

On November 9, 2009, Connecticut’s Attorney General, Richard Blumenthal, announced an investigation of whether Blue Cross and Blue Shield (“BCBS”) violated Connecticut’s data breach notification law by waiting until two months after a data breach had occurred to notify affected Connecticut residents.  The data breach, which Attorney General Blumenthal called “one of the most sizable and significant in Connecticut’s history,” involved the theft of a laptop containing confidential unencrypted data from the car of a BCBS employee in late August.  BCBS notified affected Connecticut residents of the breach in late October.

The data contained on the stolen laptop included the names, addresses and Taxpayer Identification Numbers of approximately 19,000 health care providers in Connecticut.  The breach also involved thousands of Social Security numbers (“SSNs”), since an estimated 16-22% of individual health care providers use their SSNs as Taxpayer Identification Numbers.  BCBS confirmed that the breach did not involve any medical information or patient information.

Connecticut’s data breach notification law requires any person who “conducts business in” Connecticut and who “owns, licenses or maintains computerized data that includes personal information” to disclose any breach of security to affected Connecticut residents “without unreasonable delay.”  Attorney General Blumenthal is requesting more details from BCBS about the breach, including a list of impacted health care providers, the credit monitoring services and other protections that BCBS is offering those providers, as well as BCBS’s policies and procedures for responding to data breaches.  He noted that failure to comply with Connecticut’s data breach notification law constitutes an unfair trade practice that may subject BCBS to fines of up to $5,000 for each Connecticut resident affected by the breach and require BCBS to provide restitution to those affected residents.
Tags: , , , , , , , , , , ,