The Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that the plans failed to disclose for several months. This is a definite sign that state attorneys general may be using the HIPAA enforcement powers granted by the HITECH Act provisions in the Recovery Act.
Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach.
Connecticut Attorney General Richard Blumenthal has come forth as possibly the first attorney general to take on a HIPAA investigation, and Arizona’s attorney general may also be pursuing a similar route. The larger of the two breaches that have come to the attorney generals’ attention was experienced by Health Net, Inc., which lost a portable external hard drive containing seven years of data for 446,000 Connecticut residents. The lost data came from 1.5 million individuals in total, also including individuals from New Jersey and New York.
Health Net reported the loss to the Connecticut attorney general on November 19. On the same day Blumenthal issued a harsh statement demanding answers and promising action. He specifically said he was investigating whether Health Net may have violated “federal laws,” as well as his state’s own data protection laws.
Blumenthal said he would “seek to establish what happened and why the company kept its customers and the state in the dark for so long.” Blumenthal said he was “outraged and appalled” by Health Net’s actions and stated that failure to provide notice sooner was “unconscionable foot-dragging.”
Health Net’s hard drive, which disappeared from its offices in Shelton, Connecticut, required a special reader to view, but it was not encrypted.
© 2009 Parsonage Vandenack Williams LLC
For more information, contact info@pvwlaw.com
VW Health Care Law Blog 