Connecticut attorney general sues over breach

Share this article:

The attorney general of Connecticut is suing the Connecticut-based arm of a major health care provider over a missing hard drive that contained the personal information of hundreds of thousands of people.

Attorney General Richard Blumenthal, no stranger to suing organizations that suffer a data breach, said Wednesday in a statement that Health Net of Connecticut failed to secure the medical and financial records of an estimated 446,000 state enrollees, nor did the company quickly notify the victims about the incident.

The missing portable external hard drive contained sensitive information dating as far back as 2002 for some 1.5 million past and present customers living in Arizona, Connecticut, New Jersey and New York. The hard drive went missing around May from Health Net's Northeast headquarters in Shelton, Conn.

The sensitive data was compressed and saved as image files that require a special computer program to be read. However, it was not encrypted.

Health Net officials notified Blumenthal and the state's Department of Insurance about the breach in November. The insurer said it waited six months to reveal the breach due to an investigation into the incident, which included a forensic review by computer experts. 

Blumenthal said this is the first time that a state attorney general has brought a civil action for a violation of the Health Insurance Portability and Accountability Act (HIPAA). Such a move was authorized under the HITECH Act of 2009, passed as part of the economic stimulus bill, which stated that attorneys general can obtain statutory damages against a health care provider on behalf of state residents.

In addition to monetary awards under HIPAA and Connecticut law, the complaint also seeks a court order forcing Health Net to encrypt all portable electronic devices.

"Sadly, this lawsuit is historic, involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft."

In a statement, Health Net said it was reviewing the lawsuit and will "work cooperatively" with the attorney general's office. The statement also said that company policy is to encrypt all data and that there is no evidence any of the lost information has been misused.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.