Health Net, Connecticut-based insurance firm is to pay a penalty of $55,000 to the Office of Vermont Attorney General for HIPAA disobedience and failing to safeguard the information of the state’s policyholders after a HIPAA data infringement that revealed the private health info of 1.5 million persons.
The Health Insurance Portability and Accountability Act (1996) needs all protected entities inform security infringements that reveal patient files to the Department of Health and Human Services, and infringement notices should also be delivered to all affected people in a realistic time frame.
Health Net found out that a computer hard drive had been misplaced from its facilities on May 19, 2009, however it took the underwriter over 6 months to deliver infringement notices to the concerned patients. When that notice was ultimately sent, the 525 Vermont inhabitants affected by the infringement were instructed that the danger of their data being seen by unlawful people was little. As per Health Net, “the records on the lost drive weren’t protected in a format which can be effortlessly opened.”
Nevertheless, this implies that any individual in ownership of the hard drive would not be likely to be capable to open the files it had. The Attorney General concluded that this wasn’t the situation; the data saved on the hard drive wasn’t password protected nor encrypted, and was stored in TIF format; a file which can be opened by many commonly used computer software programs, a lot of which can be copied free of cost. Online software sites may also effortlessly change the file into a more common format.
The arrangement was reached with the Attorney General for failing to safeguard Protected Health Info of its policyholders which breaches HIPAA. The insurer is additionally charged to have misunderstood the danger posed to its policyholders in the infringement notice letters it dispatched and this breached the Consumer Fraud Act. Health Net also breached the Security Breach Notice Law by needlessly postponing the issue of infringement notice letters to guide the affected individuals of the danger of fraud and identity theft. Health Net was forced to send notices “in the most practical time possible and without unnecessary delay.”
A penalty of $375,000 should also be paid to the Connecticut Insurance Department for neglecting to safeguard health information and putting the secrecy of Connecticut inhabitants at risk. Since the stolen/lost hard drive had insecure health info as well as breached HIPAA, Health Net might also be penalized by the Office for Civil Affairs.
On top of the penalties issued, Health Net has consented to a complete data-security audit as well as it should carry out repeated risk evaluations and present reports on its security and privacy processes to the Attorney General for 2 years.