First Lawsuit by a State Attorney General Enforcing New HIPAA Regulations - Law Firm Nelson Levine de Luca & Horst Attorneys Blue Bell, Pennsylvania

- Blue Bell
- Cherry Hill
- New York
- Columbus
- London

First Lawsuit by a State Attorney General Enforcing New HIPAA Regulations

January 22, 2010

Written By Attorneys: John F. Mullen and Christopher J. DiIenno

This article is an interpretation of current law and is offered for informational purposes only. This material is not legal advice and should not be construed or used as a substitute for the advice of an attorney.

On January 12, 2010, Connecticut Attorney General Richard Blumenthal filed a lawsuit against Health Net of Connecticut ("Health Net") alleging that the medical and financial information of 446,000 enrollees were not properly secured as required under the 2009 amendments to the Health Insurance Portability and Accountability Act ("HIPAA"). The lawsuit alleges Health Net failed to promptly notify the Attorney General's office and the affected residents of Connecticut of a security breach which occurred in May of 2009 when a portable computer disk drive was either stolen or lost. The lawsuit seeks an award of civil penalties and a court order enjoining Health Net from continued violations of HIPAA and Connecticut Unfair Trade Practices laws.

This is the first state action against an insurer for HIPAA violations since the 2009 Health Information Technology for Economic and Clinical Health Act ("HITECH") authorized state attorney generals to enforce HIPAA. In all likelihood, it will not be the last such lawsuit.

Attorney General Blumenthal, who is running for the Senate seat vacated by Chris Dodd, is the brother of David Blumenthal, currently serving as the national coordinator for healthcare information technology with the Department of Health and Human Services. Attorney General Blumenthal said that "[t]he staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers."

This case highlights emerging concerns over the use and storage of electronic data concerning individuals. Regulatory agencies are being armed with tougher enforcement laws, such as HITECH, and are less tolerant of violations. If, as alleged, Health Net failed to provide reasonable notice of the breach, and then downplayed the danger to affected patients, it exposed itself to potentially significant fines, remediation costs and defense fees, regardless of whether the disclosed information leads to identity theft. In addition, Attorney General Blumenthal alleges that Health Net has yet to implement the data protections required by HIPAA through means such as encryption. See 45 C.F.R. §§ 164.304 - 164.312. This is not only an actionable charge in itself, but may be further support for charges of mishandling the breach event.

According to Health Net, it is offering affected members two years of credit monitoring, and should they fall victim to identity theft, direct assistance and $1 million in identity theft insurance. Such steps to mitigate and prevent further damages are often part of the necessary response to a data breach event. These services can be costly. Time will tell whether these steps can provide an adequate showing of good faith on the part of Health Net.

The filing of the Health Net lawsuit provides the following lessons to all businesses that collect and store personal data. First, the institution of preventative measures, such as encryption and risk monitoring programs, often now legally required, may very well avoid a data breach in the first place. Second, if a breach occurs, avoidance of the necessary notification and mitigation processes will most likely cause additional expense in the form of litigation costs, potential fines and penalties.

NLdH will closely monitor this important case.

Emerging Issues

In The News...

Mike Nelson discusses the delayed FIO report in Insurance Journal and InsuranceNewsNet.com.
Mike Nelson answers questions weighing on the minds of the insurance industry about the FIO and its impending report. Read More

Upcoming Events

International Association of Defense Counsel (IADC) Midyear Meeting

Date: February 11-16, 2012
Speaker: Michael A. Hamilton
Location: Rancho Mirage, CA
Topic: Raising the Roof: What's Hot in Construction Defect Coverage Litigation

ABA Section of Litigation Insurance Coverage Litigation Committee CLE Seminar

Date: March 1-3, 2012
Speaker: Steven P. Nassi
Location: Tucson, AZ
Topic: Emerging Environmental Risks Under Traditional and Specialty Lines Insurance

International Association of Insurance Professionals (IAIP) 2012 Regional Conference

Date: March 8-11, 2012
Speaker: Christopher J. DiIenno
Location: Dover, DE
Topic: Cyber Risk: Accessing & Combating the Exposures

Home

Our People

Of Note

Careers

Blue Bell Cherry Hill New York Columbus London

Nelson Levine de Luca & Horst offers comprehensive legal services to the insurance industry in the areas of reinsurance, regulatory, complex liability, class action, coverage, subrogation, bad faith and fraud. With offices in Pennsylvania, New York, New Jersey, Ohio and London, NLdH is devoted solely to providing legal representation to the insurance industry.

FirmSite® by FindLaw, a Thomson Reuters business.

The material provided on this website is offered for its informational value and does not constitute legal advice. Accessing this website or using email links to contact us does not create an attorney-client relationship with Nelson Levine de Luca & Horst or any of the firm's attorneys. This website may be considered an advertisement under the rules of certain states. Past results do not guarantee a similar outcome.