Client Information Security Helping Organizations Protect Private Client Data

A New Era in HIPAA Enforcement Has Begun

Connecticut AG files First HITECH Act Law Suit

In the first lawsuit to invoke the new provisions of the HITECH Act, Connecticut Attorney General Richard Blumenthal filed a lawsuit against Health Net for violating HIPAA requirements. Here is the actual complaint: CT Complaint Against HealthNet

The lawsuit was filed on January 13, 2010 and was described in a statement “Sadly . . . historic.” The suit alleges that Health Net failed to secure private patient medical records and financial information involving hundreds of thousands of Connecticut enrollees and promptly notify consumers endangered by the security breach.  This case is the first action by a state attorney general under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to enforce provisions of the Health Insurance Portability and Accountability Act (“HIPAA”).  The suit also alleges a violation of Connecticut’s breach notification statute.

On or about May 14, 2009 Health Net learned that a portable disk drive had disappeared from one of its offices.  The disk contained unencrypted protected health information, social security numbers and bank account numbers for approximately 1.5 million past and present enrollees, including 446,000 Connecticut residents.  Health Net did not begin notifying affected individuals until November 2009.

Is this the first sign of the fines/lawsuits organizations will face in the future?

• Have you implemented new policies and procedures to ensure compliance with the HITECH requirements?
• Have you trained all employees on new requirements?
• Do you have tracking and documentation of employee acknowledgements and understanding?
• Have you implemented ongoing awareness training as risks, threats and best practices are constantly changing?

What have you done to inform your clients of the risks they also face and offered them data breach insurance coverage?