Health Net of Connecticut, Inc. allegedly failed to keep safe loads of medical and personal data on a portable computer disk drive that, when lost, breached the privacy of some 446,000 people, according to a lawsuit filed today by Attorney General Richard Blumenthal.
The company also did not promptly notify consumers of the medical records breach, Blumenthal said in a statement.
He said the case is the first action by a state attorney general involving violations of the Health Insurance Portability and Accountability Act, better known as HIPAA.
According to Blumenthal, the disk drive disappeared from a Shelton office sometime around May 14, but the company did not notify those customers whose Social Security and bank account numbers and health information might have been exposed until November, six months later.
The missing information included 27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records, he said.
According to company policy, the data should have been encrypted but was not, Blumenthal said.
"We have not seen the lawsuit but we’ll continue to work cooperatively with the attorney general," said Alice Ferreira, the Heath Net public relations director.