Health Net became the latest company that lost data containing personal, financial and medical information of hundreds of thousands of Connecticut residents. The data disappeared from Health Net in May, but the company never informed consumers (or authorities) about the breach of privacy until about two weeks ago (a six-month delay).
A spokeswoman for Health Net, said they were initially unable to determine what information was on the lost drive, forcing the company to conduct a lengthy investigation, which included a detailed forensic review by computer experts. To date, the company said it has not had any reports of misused data.
This is not the first data breach impacting Connecticut residents. Earlier this month, the Attorney General demanded answers and identity-theft protection for nearly 19,000 health professionals in the state whose confidential data was on a stolen laptop computer taken from the Blue Cross and Blue Shield Association in the Chicago area. The laptop disappeared in August, but Anthem did not notify the affected doctors, therapists and other professionals about the breach until October, a move that also drew criticism from the Attorney General.
As previously outlined in this blog, a Final Rule was recently published, clarifying covered entities’ and business associates’ liabilities for breaches of patients’ unsecured PHI. The Final Rule was effective September 23, 2009. In summary, the Final Rule clarifies that when a breach occurs:
– A covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach;
– A covered entity must notify the media in the event of a breach of unsecured PHI involving more than 500 residents of a State or jurisdiction;
– A covered entity must notify HHS in the event of a breach of unsecured PHI involving 500 or more individuals.
– A business associate must notify the covered entity of any breach of unsecured PHI.
For more information regarding HIPAA, please contact Abby Pendleton, Esq. or Jessica L. Gustafson, Esq. at (248) 996-8510 or visit The Health Law Partners, P.C. website.