Blumenthal alleged that Health Net, Woodland Hills, Calif., dragged its feet in notifying the people whose information was contained in nearly 28 million pages of scanned documents on a terabyte drive that disappeared from the company's Shelton, Conn., offices.
Health Net has spent more than $7 million to investigate what happened to the disk drive, notify members, and offer credit-monitoring and identity-theft insurance to those affected, according to the settlement.
The document describes a laborious process that required enlisting a forensic expert to create a facsimile of the missing disk drive and then hiring a consulting firm to write a computer program that could mine the documents for the information necessary to identify and contact the affected members.
The settlement calls for Health Net to pay an additional $500,000 if it's discovered that the data has been misused.
The corrective action plan, which is not limited to the company's business in Connecticut, calls for the company to establish additional management structure and oversight to ensure data is encrypted; enhanced training and awareness initiatives; and incentives, monitoring and reports intended to foster compliance with the company's policies and procedures.
“All of these improvements will result in Health Net being in the forefront of securing member health information,” Health Net spokeswoman Alice Ferreira said in a written statement.
Health Net of the Northeast, which includes the company's business in Connecticut, New Jersey and New York, was sold to UnitedHealthcare subsidiary Oxford Health Plans in 2009, but Health Net continues to administer the plans there under a continuity agreement.