Health Net to pay $250,000 after Conn. data breach

Health Net has agreed to pay $250,000 and enter a corrective action plan to settle a lawsuit brought by Connecticut Attorney General Richard Blumenthal after a hard disk containing information of 1.5 million current and former members was lost or stolen.

Blumenthal sued the company in January, becoming the first state attorney general to wield new authority granted under the stimulus law to enforce the privacy provisions of the Health Insurance Portability and Accountability Act of 1996. The agreement resolving the case stipulates that the settlement does not represent an admission of liability or wrongdoing by Health Net.

Blumenthal alleged that Health Net, Woodland Hills, Calif., dragged its feet in notifying the people whose information was contained in nearly 28 million pages of scanned documents on a terabyte drive that disappeared from the company's Shelton, Conn., offices.

Health Net has spent more than $7 million to investigate what happened to the disk drive, notify members and offer credit monitoring and identity-theft insurance to those affected, according to the settlement.

The document describes a laborious process that required enlisting a forensic expert to create a facsimile of the missing disk drive and then hiring a consulting firm to write a computer program that could mine the documents for the information necessary to identify and contact the affected members.

The settlement calls for Health Net to pay an additional $500,000 if it's discovered that the data has been misused.

The corrective action plan, which is not limited to the company's business in Connecticut, calls for the company to establish additional management structure and oversight to ensure data is encrypted; enhanced training and awareness initiatives; and incentives, monitoring and reports intended to foster compliance with the company's policies and procedures.

“All of these improvements will result in Health Net being in the forefront of securing member health information,” Health Net spokeswoman Alice Ferreira said in a written statement.

Health Net of the Northeast, which includes the company's business in Connecticut, New York and New Jersey, was sold to UnitedHealthcare subsidiary Oxford Health Plans in 2009, but Health Net continues to administer the plans there under a continuity agreement.