CT AG is first to file suit under HITECH

It has begun. Connecticut Attorney General Richard Blumenthal, JD, has taken the first action by a state attorney general involving violations of the Health Insurance Portability and Accountability Act (HIPAA) since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

Blumenthal sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notifying consumers endangered by the security breach. He also is seeking a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted.

"Sadly, this lawsuit is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said in announcing the suit. "Protected private medical records and financial information on almost a half-million Health Net enrollees in Connecticut were exposed for at least six months — most likely by thieves — before Health Net notified appropriate authorities and consumers."

The action in Connecticut should be a wake-up call for risk managers, says Gretchen Hellman, vice president of security solutions with Vormetric, a data security firm in Santa Clara, CA.

"This makes the regulation real and immediate," Hellman says. "Previously, HIPAA was lightly policed and considered toothless. This is a real example of HIPAA teething. Whether it's molars or fangs, we'll have to wait and see."

Hellman notes that most patient health data are not encrypted and the majority of state data breach laws do not include health data in their provisions. This lawsuit is a reminder that HIPAA-covered entities must rapidly alter their practices to address HITECH compliance, she says.

"Earlier this month, we saw research indicating that the average cost of a data breach has risen to more than $200 per record," Hellman says. "In all likelihood, the cost of future data breaches will rise to include attorney fees and additional legal penalties. There is a strong likelihood that this action sets a precedent for other state AGs to respond to data breaches with a similar response in the future."

CEO Christian Renaud of Palisade Systems in Des Moines, IA, which provides services to prevent data loss, agrees that the action in Connecticut is surely just the beginning of the HITECH lawsuits to be brought by state attorneys general.

"With this action by the attorney general, we expect to see more health care entities realize that they need solutions to ensure that their employees are well trained and educated, as well as protected from accidentally sending out patient information covered by HIPAA," he says. "Expect to see a rush from the smallest doctors' offices to large insurance providers and hospitals to make sure that information does not leak, and that they have the right technology in place, such as data-loss prevention."

According to the lawsuit, on or about May 14, 2009, Health Net learned that a portable computer disk drive disappeared from the company's Shelton office. The disk contained protected health information, Social Security numbers, and bank account numbers for approximately 446,000 past and present Connecticut enrollees. The missing information included 27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence, and medical records.

Health Net reported to the state that the data were not encrypted or otherwise protected from access and viewing by unauthorized people or third parties, but rather were viewable through the use of commonly available software. Health Net did not respond to Healthcare Risk Management's request for comment.

Blumenthal alleges that Health Net failed to promptly notify his office or other Connecticut authorities of this missing protected health and other personal and private information. It wasn't until six months after Health Net discovered the breach that it posted a notice on its web site, and then sent letters to consumers on a rolling mailing basis beginning on Nov. 30, 2009.

Blumenthal's lawsuit alleges that Health Net failed to effectively supervise and train its work force on policies and procedures concerning the appropriate maintenance, use, and disclosure of protected health information.

Sources

For more information on HITECH enforcement, contact:

• Gretchen Hellman, Vice President of Security Solutions, Vormetric, Santa Clara, CA. Telephone: (408) 961-6100.

• Christian Renaud, CEO, Palisade Systems, Des Moines, IA. Telephone: (888) 824-0720. E-mail: christian.renaud@palisadesystems.com.