The attorney general of Connecticut is suing the Connecticut-based arm of a major health care provider over a missing hard drive that contained the personal information of hundreds of thousands of people.
Attorney General Richard Blumenthal, no stranger to suing organizations that suffer a data breach, said Wednesday in a statement that Health Net of Connecticut failed to secure the medical and financial records of an estimated 446,000 state enrollees, nor did the company quickly notify the victims about the incident.
The missing portable external hard drive contained sensitive information dating as far back as 2002 for some 1.5 million past and present customers living in Arizona, Connecticut, New Jersey and New York. The hard drive went missing around May from Health Net’s Northeast headquarters in Shelton, Conn.
The sensitive data was compressed and saved as image files that require a special computer program to be read. However, it was not encrypted.
Health Net officials notified Blumenthal and the state’s Department of Insurance about the breach in November. The insurer said it waited six months to reveal the breach due to an investigation into the incident, which included a forensic review by computer experts.
Blumenthal said this is the first time that a state attorney general has brought a civil action for a violation of the Health Insurance Portability and Accountability Act (HIPAA). Such a move was authorized under the HITECH Act of 2009, passed as part of the economic stimulus bill, which stated that attorneys general can obtain statutory damages against a health care provider on behalf of state residents.
In addition to monetary awards under HIPAA and Connecticut law, the complaint also seeks a court order forcing Health Net to encrypt all portable electronic devices.
“Sadly, this lawsuit is historic, involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said. “These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft.”
In a statement, Health Net said it was reviewing the lawsuit and will “work cooperatively” with the attorney general’s office. The statement also said that company policy is to encrypt all data and that there is no evidence any of the lost information has been misused.