HIPAA Penalty: Vermont Attorney General Takes Another Bite Out of Health Net's Apple
The Health Net breach is the gift that keeps on giving, to the state attorneys general, that is. This fine is just part of the long term ramifications of a data breach. I am sure that United wishes they hadn't acquired Health Net. Bad publicity rubs off.
The Ponemon Institute study of the cost of a data breach shows that 67% of the cost is in lost business. For all of you that are hiding out, hoping nothing bad will happen this is an object lesson. Get compliant, stay compliant, and be able to prove compliance.
Attorney General Settles Security Breach Allegations Against Health Insurer
Attorney General William Sorrell filed a complaint and proposed settlement Friday with Health Net, Inc., and Health Net of the Northeast, Inc., regarding the health insurance company’s loss of an unencrypted portable hard drive containing protected health information. The complaint alleges violations of HIPAA (the Health Insurance Portability and Accountability Act), Vermont’s Security Breach Notice Act, and Consumer Fraud Act. The settlement requires the defendants to pay $55,000 to the State, submit to a data-security audit, and file reports with the State regarding the company’s information security programs for the next two years.
“Consumers expect – and the law requires – that personal information be treated with the utmost care,” said Attorney General William Sorrell. “Identity theft remains one of the fastest growing crimes in America. Companies must be careful to prevent Vermonters’ sensitive information, especially their medical records, from falling into the wrong hands.”
The lawsuit is Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009. The case arises from a portable hard drive that contained protected health information, social security numbers, and financial information of approximately 1.5 million people, including 525 Vermonters. Health Net discovered that the drive was missing on May 14, 2009 and did not start notifying affected Vermont residents until more than six month later. When it did notify Vermont residents, Health Net told them that it believed their risk of harm was “low” because “the files on the missing drive were not saved in a format that can be easily accessible.” The files on the unencrypted drive were in TIF (Tagged Image File) format, which can be viewed using a variety of freely available software.
The complaint alleges that Health Net’s six month delay in notifying Vermont residents violates the Security Breach Notice Act. That law requires data collectors to notify affected individuals of security breaches “in the most expedient time possible and without unreasonable delay.” The complaint further alleges that Health Net violated HIPAA by failing to secure protected health information, and that the company violated the Consumer Fraud Act by misrepresenting the risk posed to affected individuals in the company’s notice letters.
The complaint and proposed consent decree were filed in the U.S. District Court for the District of Vermont. The consent decree must be approved by a judge before it takes effect. Health Net, Inc., and Health Net of the Northeast, Inc., cooperated with the Vermont Attorney General’s investigation of this matter and have settled similar actions in Connecticut and New York.
Cross-posted from Compliance Helper