Connecticut attorney general sues over breach

Share this article:

The attorney general of Connecticut is suing the Connecticut-based arm of a major health care provider over a missing hard drive that contained the personal information of hundreds of thousands of people.

Attorney General Richard Blumenthal, no stranger to suing organizations that suffer a data breach, said Wednesday in a statement that Health Net of Connecticut failed to secure the medical and financial records of an estimated 446,000 state enrollees, nor did the company quickly notify the victims about the incident.

The missing portable external hard drive contained sensitive information dating as far back as 2002 for some 1.5 million past and present customers living in Arizona, Connecticut, New Jersey and New York. The hard drive went missing around May from Health Net's Northeast headquarters in Shelton, Conn.

The sensitive data was compressed and saved as image files that require a special computer program to be read. However, it was not encrypted.

Health Net officials notified Blumenthal and the state's Department of Insurance about the breach in November. The insurer said it waited six months to reveal the breach due to an investigation into the incident, which included a forensic review by computer experts. 

Blumenthal said this is the first time that a state attorney general has brought a civil action for a violation of the Health Insurance Portability and Accountability Act (HIPAA). Such a move was authorized under the HITECH Act of 2009, passed as part of the economic stimulus bill, which stated that attorneys general can obtain statutory damages against a health care provider on behalf of state residents.

In addition to monetary awards under HIPAA and Connecticut law, the complaint also seeks a court order forcing Health Net to encrypt all portable electronic devices.

"Sadly, this lawsuit is historic, involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft."

In a statement, Health Net said it was reviewing the lawsuit and will "work cooperatively" with the attorney general's office. The statement also said that company policy is to encrypt all data and that there is no evidence any of the lost information has been misused.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.