Corporate Compliance

Health Net fined $55,000 for data breach

Compliance Monitor, January 26, 2011

Health Net, Inc. agreed to pay the Vermont government $55,000 to resolve charges that the healthcare insurer violated the HIPAA privacy rule, Vermont’s Security Breach Notice Act, and Consumer Fraud Act, according to a January 24 HealthLeaders Media article.

Health Net discovered that a portable hard drive containing protected health information, social security numbers, and financial information of approximately 1.5 million people, including 525 Vermonters was missing on May 14, 2009. However, the company did not notify affected Vermont residents until more than six months later. The settlement alleges that the six month delay violates the Security Breach Notice Act, which requires data collectors to notify affected individuals of security breaches “in the most expedient time possible and without unreasonable delay.”

The settlement further alleges that Health Net violated the HIPAA privacy rule by failing to secure protected health information and violated the Consumer Fraud Act by misrepresenting the risk posed to affected individuals in the company’s notice letters.

Most Popular