January 22, 2010 

Written By Attorneys: John F. Mullen and Christopher J. DiIenno
 

This article is an interpretation of current law and is offered for informational purposes only. This material is not legal advice and should not be construed or used as a substitute for the advice of an attorney.

On January 12, 2010, Connecticut Attorney General Richard Blumenthal filed a lawsuit against Health Net of Connecticut ("Health Net") alleging that the medical and financial information of 446,000 enrollees were not properly secured as required under the 2009 amendments to the Health Insurance Portability and Accountability Act ("HIPAA"). The lawsuit alleges Health Net failed to promptly notify the Attorney General's office and the affected residents of Connecticut of a security breach which occurred in May of 2009 when a portable computer disk drive was either stolen or lost. The lawsuit seeks an award of civil penalties and a court order enjoining Health Net from continued violations of HIPAA and Connecticut Unfair Trade Practices laws.

This is the first state action against an insurer for HIPAA violations since the 2009 Health Information Technology for Economic and Clinical Health Act ("HITECH") authorized state attorney generals to enforce HIPAA. In all likelihood, it will not be the last such lawsuit.

Attorney General Blumenthal, who is running for the Senate seat vacated by Chris Dodd, is the brother of David Blumenthal, currently serving as the national coordinator for healthcare information technology with the Department of Health and Human Services. Attorney General Blumenthal said that "[t]he staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers."

This case highlights emerging concerns over the use and storage of electronic data concerning individuals. Regulatory agencies are being armed with tougher enforcement laws, such as HITECH, and are less tolerant of violations. If, as alleged, Health Net failed to provide reasonable notice of the breach, and then downplayed the danger to affected patients, it exposed itself to potentially significant fines, remediation costs and defense fees, regardless of whether the disclosed information leads to identity theft. In addition, Attorney General Blumenthal alleges that Health Net has yet to implement the data protections required by HIPAA through means such as encryption. See 45 C.F.R. §§ 164.304 - 164.312. This is not only an actionable charge in itself, but may be further support for charges of mishandling the breach event.

According to Health Net, it is offering affected members two years of credit monitoring, and should they fall victim to identity theft, direct assistance and $1 million in identity theft insurance. Such steps to mitigate and prevent further damages are often part of the necessary response to a data breach event. These services can be costly. Time will tell whether these steps can provide an adequate showing of good faith on the part of Health Net.

The filing of the Health Net lawsuit provides the following lessons to all businesses that collect and store personal data. First, the institution of preventative measures, such as encryption and risk monitoring programs, often now legally required, may very well avoid a data breach in the first place. Second, if a breach occurs, avoidance of the necessary notification and mitigation processes will most likely cause additional expense in the form of litigation costs, potential fines and penalties.

NLdH will closely monitor this important case.