Skip to main content

First Ever State-initiated HIPAA Enforcement Action Settled

Written by Dianne Bourque

Connecticut Attorney General Richard Blumenthal has settled the first state-initiated HIPAA enforcement action. The settlement totals $250,000 in statutory damages and Health Net's agreement to implement a variety of measures to improve the security of consumer health and personal information. Health Net also agreed to provide two years of credit monitoring to affected individuals, $1 million of identity theft insurance and reimbursement for the costs of security freezes.

As we reported in this space, Blumenthal sued Health Net and its affiliates after they allegedly lost a computer disk drive in May 2009 containing protected health and other private information on more than 500,000 Connecticut residents and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information. Blumenthal also alleged that Health Net failed to promptly notify consumers endangered by the breach even after learning that the disk drive was stolen.
The Health Net case is the first action by a state attorney general for HIPAA violations since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

The full text of the settlement is available here:
http://www.ct.gov/ag/lib/ag/fraud/soctvhealthnetstipjudgment.pdf

 


 

Dianne Bourque

Dianne is an associate in the firm’s Health Law Section. She advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care.

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.