State sues Health Net over data leak

Health Net of Connecticut Inc. knowingly failed to protect private medical and personal records on a portable disk drive, leading to a "massive privacy breach," Attorney General Richard Blumenthal alleges in a lawsuit filed Wednesday.

The medical and personal information of some 446,000 of the insurer's customers went unprotected for months last year, even after the company learned the data had been lost, Blumenthal charged. The company also did not promptly notify consumers of the medical records breach, he said.

The missing information included 27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records, Blumenthal said.

"They failed not only to protect the information through encryption but also to alert patients and consumers who are at risk," Blumenthal said Wednesday after filing the lawsuit in the U.S. District Court.

The case is the first action by a state attorney general involving alleged violations of federal law under the Health Insurance Portability and Accountability Act, better known as HIPAA, he said.

The lawsuit also names new owners of Health Net, UnitedHealth Group Inc. and Oxford Health Plans LLC, even though they did not cause the data breach.

In a statement, the company said its policy is to encrypt and secure data, an effort that "is extremely important to us."

While it has no evidence that there has been any misuse of the compromised information, the company is reviewing the lawsuit and will "continue to work cooperatively" with Blumenthal on the matter, the company said.

In the lawsuit, Blumenthal calls the inaction on the part of the company "willful" because it violated its own policy of safeguarding the information before the portable disk drive went missing from its Shelton office sometime around May 14. Then, afterward, the firm did not notify those customers whose Social Security and bank account numbers and health information might have been exposed until November, six months later.

Blumenthal also charges that the firm failed to properly train and supervise its employees on policies and procedures concerning the appropriate maintenance, use and disclosure of protected health information.

Health Net noted it is offering two years of free credit monitoring services for all affected customers, including $1 million of identity theft insurance coverage and enrollment in fraud resolution services for two years, if needed.

If customers suffer from identity theft between May of 2009 and the date of their enrollment, Health Net will provide services to restore the member's identity at no cost to the member, the company said.

"They have cooperated in providing some initial remedies, but we want (the remedies) to be longer and fuller," Blumenthal said.

He is seeking damages for affected individuals, monetary penalties for the state and orders forbidding future violations.

p.daddona@theday.com