The new privacy police
Conn. cited as first to sue under new authority
States are beginning to police health information privacy breaches under new authority provided by the federal stimulus law. Digital privacy experts applaud the move, saying states—already charged with defending consumer protections—are well-suited to the job.
In what is widely agreed to be the first such case, last week Connecticut Attorney General Richard Blumenthal filed a civil lawsuit against Health Net alleging the health insurer failed to secure the patient medical records and financial data of 446,000 members or promptly notify customers of the security breach.
Blumenthal is exercising new authority under the American Recovery and Reinvestment Act, known as the stimulus law, which President Barack Obama signed into law in February 2009.
Under that law, states can prosecute violators of the Health Insurance Portability and Accountability Act of 1996. Previously, only federal authorities could pursue HIPAA violations. State attorneys general have pursued health information privacy breaches in the past, most notably in California and New York, but under state consumer protection laws.
“This is a huge step forward,” said Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology, a civil liberties group based in Washington. “Attorneys general are consumer watchdogs; I say kudos to them.”
In May 2009, Health Net learned that a portable computer disk drive containing the health information, Social Security numbers and bank account numbers of nearly half a million past and present enrollees had disappeared. The missing drive included 27.7 million scanned pages of more than 120 types of documents, including claims forms, appeals, grievances, correspondence and medical records, according to Blumenthal’s complaint. The data was not encrypted or otherwise protected from viewing.
Six months after learning of the breach, Health Net posted a notice on its Web site and began notifying affected consumers by mail on Nov. 30, 2009, according to the complaint.
Health Net, which is based in Woodland Hills, Calif., sold its Northeast business to UnitedHealth Group and Oxford Health Plans— a unit of UnitedHealth— in December. Those two companies are also named in the lawsuit because they are the current owners.
“The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable,” Blumenthal said in a written statement. “Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.”
In a written statement, Health Net said there is no evidence that the data has been misused. The company is reviewing the lawsuit and said that “protecting the privacy of our members is extremely important to us.” The company offered two years of free creditmonitoring to affected members and $1 million of identify-theft insurance, according to the statement. No evidence has surfaced that any member experienced identity theft after the May incident, according to the statement, and Health Net promises free assistance to any member who does.
Blumenthal is seeking civil penalties under HIPAA. Those penalties, updated through the stimulus law, cannot exceed $1.5 million per year.
Patient information breaches are not uncommon.
Just last week, Blue Cross and Blue Shield of Tennessee disclosed that the personal information of an estimated 500,000 members is at risk after 57 hard drives were stolen from a leased facility in Chattanooga in October.
The hard drives contained audio and video files related to care coordination and recorded eligibility phone calls from providers and members. The files contained member names and Blues ID numbers and some diagnostic information, dates of birth and Social Security numbers, the Tennessee Blues said.
As of Jan. 7, some 220,000 members had been identified as being at risk of having their name, Social Security number, date of birth and address exposed. About 157,500 have been notified by mail of the breach. These customers have been offered one year of free credit-monitoring and identitytheft counseling.
There’s no evidence that member data has been accessed or used, the Chattanooga, Tenn.-based insurer said.
A call to the Tennessee attorney general’s office was not returned by deadline.
And in one of the first criminal cases under HIPAA, earlier this month, the U.S. attorney’s office in Los Angeles and the FBI announced a plea agreement in the case of a medical researcher at UCLA Health System who peeked at the medical records of co-workers and celebrities. He faces a maximum term of four years in federal prison and will be sentenced on March 22.
To help consumers become more comfortable with online medical-record keeping, McGraw said, authorities must be more assertive in invoking their authority available under HIPAA.
“Consumers will be better off if more people are keeping an eye on it,” McGraw said.
“The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable,” Blumenthal said in a written statement.