Connecticut Attorney General Richard Blumenthal filed the lawsuit, arguing that Health Net failed to secure private medical records and financial information. It also failed to promptly notify consumers endangered by the security breach, the lawsuit alleges.
Blumenthal is also seeking an injunction blocking Health Net from violating the Health Insurance Portability and Accountability Act (HIPAA). It is the first action by a state attorney involving HIPAA since state attorneys were given the right to enforce the legislation.
Health Net – now owned by UnitedHealth Group and Oxford Health Plans – suffered the loss of a portable disk drive last May containing health information, social security numbers, and bank account numbers of the victims. Insurance claim forms, membership forms, appeals and grievances, correspondence and medical records were among the information compromised. The data was unencrypted.
"Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months – most likely by thieves – before Health Net notified appropriate authorities and consumers,” Blumenthal said, adding that Health Net downplayed the danger.