Connecticut has settled a lawsuit with an insurance company involving a massive security breach that compromised financial and medical records for half-a-million state residents.
In May 2009, Health Net lost a disk drive containing names, addresses, social security numbers and medical information for 500,000 Connecticut residents and 1.5 Million patients nationwide. The company didn't report the missing disk for months.
Attorney General Richard Blumenthal says an investigation by Health Net concluded the disk was most likely stolen. "These missing medical records included some of the most personal, intimate patient information -- exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft," Blumenthal said.
The settlement involves Health Net of the Northeast Inc., Health Net of Connecticut Inc. and parent companies UnitedHealth Group Inc. and Oxford Health Plans.
Blumenthal calls the settlement historic, with the state's unprecedented enforcement of the federal Health Insurance Portability and Accountability Act (HIPAA). The 1996 act helps protect patients' medical records.
Under the settlement, Health Net agreed to implement measures to protect health information and other private data. The company will also pay the state a $250,000 fine, and agreed to an additional $500,000 payment if the missing disk drive was accessed and the information on it was used improperly.
