Main Menu
First Lawsuit Filed by a State Attorney General Under the HITECH Act

On January 12, 2010, Connecticut’s Attorney General filed a lawsuit against Health Net of Connecticut, Inc. (Health Net) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to enforce the Privacy and Security Rules under HIPAA. 

In a press release, Connecticut’s Attorney General Richard Blumenthal said, “[s]adly, this lawsuit is historic—involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA.”  Connecticut Attorney General’s Office Press Release, January 13, 2010.   

According to the allegations in the complaint, Health Net failed to maintain the confidentiality and security of enrollees’ medical and other personal and financial information, and promptly notify affected individuals and Connecticut government agency authorities.  Apparently, a portable disk drive disappeared from a Health Net Connecticut corporate office.  The disk contained unencrypted protected health information, including social security numbers, bank account numbers, names and addresses for approximately half a million enrollees.  The complaint states that Health Net learned of the breach in May 2009, but did not begin notifying affected individuals until November 2009 via a posting on its website and written correspondence to each affected individual.  The delay in notifying the affected individuals was apparently due to Health Net’s failure to create a log file of the information.  Consequently, Health Net had to replicate the entire disk drive in order to determine the individuals affected by the breach. 

Blumenthal also filed an injunction against Health Net on January 13th.  Blumenthal is asking the court to order Health Net to: (i) develop and implement effective policies and procedures in accordance with HIPAA; (ii) properly train its employees and other members of its workforce who have access to the protected health information; (iii) encrypt protected health information (although not required under the HITECH Act); (iv) pay damages to all affected individuals and a fine to the State; and (v) take corrective action and make all efforts to protect affected individuals against identity theft and other harm.  In the notice to affected individuals posted on its website, Health Net is offering affected individuals 2 years of free credit monitoring services, including $1 million of identity theft insurance coverage and enrollment in fraud resolution services, if needed.  Health Net is also agreeing to provide services to restore an individual’s identity for anyone who experiences identity theft problems between May 2009 and the date of enrollment. 

This is the first lawsuit filed by a state attorney general involving HIPAA violations since such actions were authorized under the HITECH Act, which became effective on February 17, 2009.  Specifically, the HITECH Act authorizes a state attorney general to file an action against an entity subject to HIPAA when the attorney general “has reason to believe that an interest of one or more of the residents of that state has been or is threatened or adversely affected by any person who violates a [privacy or security provision under HIPAA].”  42 U.S.C. §13410(d).  The HITECH Act also significantly increased the penalties for HIPAA violations.  Such violations are subject to penalty ranges that correspond to the violator’s level of culpability.  The penalty range for unintentional violations is $100 to $50,000 per violation; for violations due to reasonable cause, the penalty range is $1,000 to $50,000 per violation; for violations due to willful neglect that are corrected, the penalty range is $10,000 to $50,000 per violation; for violations due to willful neglect that are not corrected, the penalty is $50,000 per violation.  There is a penalty cap of $1.5 million for all violations of an identical provision in a year.  Entities that correct a violation within 30 days of discovering an unknown violation may avoid the imposition of a civil money penalty.

The HITECH Act brings a new era of enforcement against entities that fail to identify and promptly respond to reportable breaches of protected health information.  All entities subject to HIPAA should take their obligation to maintain the privacy and security of individuals’ protected health information seriously.  Such entities should take appropriate steps to: (i) develop, adopt and implement the policies and procedures required for compliance with the Privacy and Security Rules and the breach notification regulations; (ii) review and update existing Business Associate Agreements and Services Agreements, if applicable, for compliance with the HITECH Act requirements; and (iii) train all employees and other members of the workforce who have access to protected health information regarding HIPAA, the HITECH Act and the organization’s privacy and security policies and procedures.  Even though not required by the HITECH Act, encryption of protected health information may be worth pursuing.

If you have any questions regarding the HITECH Act, please contact any member of Greenebaum’s Health, Health Insurance and Life Sciences Team.

To learn more about John R. Cummins and his practice, please visit his profile.

Even though the content of the above Greenebaum Doll & McDonald e-bulletin is primarily informative, state and federal law obligates us to inform you that this is an advertisement. You have received this advisory because you are a client or friend of the firm.

About Greenebaum Doll & McDonald PLLC
Greenebaum Doll & McDonald PLLC is a widely-respected business law firm with approximately 170 professionals in five offices, serving local, national and international clients in virtually every industry. A forward-thinking business law firm, Greenebaum is committed to the practice of Breakthrough Law®. 

Copyright 2010 Greenebaum Doll & McDonald PLLC.  All Rights Reserved.

  • Partner

    John is a partner in the firm's Estate Planning Department. He focuses his practice on estates, trusts, family business and disability planning, and the administration of estates and trusts. John also has an active health law ...



Recent Posts




Back to Page