Link: Connecticut AG sues Health Net over security breach
If you think the HITECH Act isn't a game changer, think again. The State Attorney General ("AG") of Connecticut filed an historic lawsuit for breach of protected health information for an estimated 446,000 past and present Connecticut enrollees of Health Net of Connecticut.
"Sadly, this lawsuit is historic – involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA," Connecticut Attorney General Richard Blumenthal said. Health Net failed to promptly notify consumers of the security breach that involved missing medical records containing personal, intimate patient information as well as financial and claims data.
According to the article in Health IT News, at the link above, "...on or about May 14, 2009 Health Net officials learned that a portable computer disk drive disappeared from the company's Shelton office. The disk drive contained protected health information, Social Security numbers and bank account numbers for approximately 446,000 past and present Connecticut enrollees.
In the lawsuit, Blumenthal alleges that Health Net failed to promptly notify his office or other Connecticut authorities of the missing information, which included 27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records."
Since when do state AG's have the authority to bring civil suits on behalf of their citizens for breach of PHI? Well, at least since February 17, 2009 when the HITECH Act was enacted as part of ARRA, although many state laws arguably provided similar rights prior to that. Section 13410 of the Act states, in part, as follows:
(e) ENFORCEMENT THROUGH STATE ATTORNEYS GENERAL.—
(1) IN GENERAL.—Section 1176 of the Social Security Act (42 U.S.C. 1320d–5) is amended by adding at the end the following new subsection:
‘‘(d) ENFORCEMENT BY STATE ATTORNEYS GENERAL.—
‘‘(1) CIVIL ACTION.—Except as provided in subsection (b), in any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part, the attorney general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State in a district court of the United States of appropriate jurisdiction—
‘‘(A) to enjoin further such violation by the defendant; or
‘‘(B) to obtain damages on behalf of such residents of the State, in an amount equal to the amount determined under paragraph (2).
With such a high profile breach, we would not be surprised if HHS gets in on the act. After all, there is a new sheriff in town, and she is not nearly as nice as the old one.
Looking for a best of breed HIPAA Compliance Software?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store.
with your compliance initiatives? If so then check out the HSG Store.
Well stated Jim. The stakes are now much higher with respect to enforcement of civil and criminal penalties. Thanks for sharing your perspectives.
Posted by: Deborah Leyva | January 15, 2010 at 01:42 PM
Conn. Attorney General Sues Health Net Over Data Security Breach
Real problems that needed real solutions:
Many of you may have heard the recent landmark case of this large healthcare provider who had breached patient secure information laws. http://bit.ly/65fOka
What makes this case so special is this lawsuit marks the first time a state attorney general has sued over HIPAA violations. The health IT provisions of the 2009 federal economic stimulus package authorized state attorneys general to enforce the HIPAA privacy and security rules.
Could the above incident of breach been prevented? Of course, and to be frank, I have witnessed this type of violation with several companies on first hand basis in my 13 years as an IT risk management operations manager. Can we expect more of these cases; I believe we are all in agreement on this one, unfortunately yes. One of the most difficult problems for a CEO/business owner and their officers will be fully comprehending the magnitude to how easy this type of breach can occur and in the case above how devastating the costs. The next misunderstanding is the steps involved in preventing and combating them prior to receiving the call from the Attorney General’s office.
And finally but not in the least, during development of their information protection risk management programs, many do not discuss their developments in detail with the protection advisors. This I have found to be true for many reasons, and for the most part business executives and owners not knowing what their current insurance Broker can bring to the table, if anything.
Your protection advisor should be capable of understanding the new laws, your corporate environment and their operations either in a local, campus or enterprise levels. They must understand the technology you utilize and how this technology is implemented across your operations. Coordination between you CFO, CIO, HR and management teams are crucial to your risk management plan success, including the availability of proven audit, training and program tool sets. And finally they must have the proper insurance carriers that offer the protection class your operations demand in a module and packaged policy program. In addition their risk management and support services must be state of the art to insure the broadest and most comprehensive coverage’s available. I expect this from my carriers and so should you.
If you have any doubts to the ability of your risk management and protection plans, you need to contact me immediately for your free review. You have everything to gain in calling and as we have seen above, much too loose if you set this warning aside.
Jim Nocero
www.TechnologyInsuranceSolutions.com/blog/
Posted by: Jim Nocero | January 15, 2010 at 01:28 PM