HealthNet and Connecticut settle breach suit

Posted on July 8, 2010 by Steve Fox and Vadim Schick

In November of 2009, health insurance provider HealthNet reported a loss of a portable disk drive (which occurred six months prior to HealthNet's report). The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons.  This loss outraged the Connecticut Attorney General Richard Blumenthal, eventually leading Connecticut to file suit against the insurer for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.

However, on July 6, 2010, Blumenthal (who is currently running to replace Chris Dodd (D-CT) in the U.S. Senate) announced that Connecticut has reached a settlement with HealthNet and its parent companies over this breach.  According to Blumenthal, this is the very first time a state Attorney General reached such a settlement for a HIPAA violation. The settlement included:

  • $250,000 fine to be paid to Connecticut;
  • $500,000 contingency fund, to be paid to the state in the event it is determined that someone accessed the protected data on the lost disks; and
  • a "corrective action plan" which is aimed to enhance security of protected data in possession of HealthNet and its parent companies.

It is important to keep in mind that the penalties could have been even higher. Yet regardless of the amount of the fine, this breach cost much more to HealthNet than $250,000.  The costs associated with investigations, breach notification, and possible legal fees almost certainly cost the organization more than the amount of the fine imposed by Connecticut.  Thus, HealthNet's example should serve as a great reminder about the importance of doing everything possible to avoid a breach, and knowing how to handle a breach effectively if one does occur.

"Blumenthal wins $250,000 in Health Net settlement," TheDay.com (July 6, 2010).

Tags: , , , , , , , , , , ,

Connecticut radiologist breaches privacy of hundreds

Posted on April 1, 2010 by Steve Fox and Vadim Schick

HealthImaging.com reported yesterday that a Connecticut radiologist, previously affiliated with the Griffin Hospital in Derby, Conn. "accessed patient radiology reports on the hospital's PACS using the passwords of other radiologists and an employee within the radiology department. The passwords were obtained and/or used without their knowledge." From HealthImaging.com:

From the investigation conducted by Griffin, it appears the radiologist who gained unauthorized access scanned the PACS directory listings of 957 patients who had radiology studies performed at Griffin during the period and selected and downloaded the image files of 339 of these patients.

On and after Feb. 26, Griffin received inquiries on behalf of patients regarding unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin. The inquiries prompted the investigation that revealed unauthorized intrusions into Griffin's PACS and, thereby, the breach of protected patient health information.

This should serve as a reminder for healthcare providers regarding maintaining the safeguards necessary to prevent wrongful access to patient data.  For example, and there is no indication that this is what occurred in this case, clinicians and other hospital staff should not keep their system passwords on sticky notes next to or on their monitors.  Even if you believe that everyone in your office is fully trustworthy, you never know who can get a hold of such restricted information as usernames and passwords.  The reputational and financial damage to your organization could be very substantial; and your contract with the PACS system vendor is unlikely to indemnify or protect you from such losses.

"Radiologist breaches data, images of nearly 1,000 patients via PACS," HealthImaging.com (March 31, 2010).

Tags: , , , , , , , , , , , , , , ,