In a sign that state attorneys general may be flexing the HIPAA enforcement muscle granted by the HITECH Act provisions in the Recovery Act, the Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that they failed to disclose for several months.

Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach.

Connecticut Attorney General Richard Blumenthal (D) has emerged as possibly the first AG to take on a HIPAA investigation, and Arizona’s AG may also be pursuing a similar course. The larger of the two breaches that have come to the AGs’ attention was experienced by Health Net, Inc., which lost a portable external hard drive containing seven years of data for 446,000 Connecticut residents. The lost data came from 1.5 million individuals in total, who also hailed from New Jersey and New York.

Health Net reported the loss to the Connecticut AG on Nov. 19, and on the same day Blumenthal issued a scathing statement demanding answers and promising action. He specifically said he was investigating whether Health Net may have violated “federal laws,” as well as his state’s own data protection laws.

“I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted,” Blumenthal said. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”

Blumenthal said he would “seek to establish what happened and why the company kept its customers and the state in the dark for so long.” The Connecticut attorney general minced no words, saying he was “outraged and appalled” by Health Net’s actions. He added that failure to provide notice sooner was “unconscionable foot-dragging,” which he said followed the plan’s “inexplicable and inexcusable delay.”

The Connecticut AG also said he would “demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers.”

Health Net’s hard drive, which disappeared from its offices in Shelton, Conn., was described as requiring a special reader to view, but it was not encrypted.

Two Incidents in November Alone

Blumenthal’s “outrage” over the delay in notification and size of the breach may have been exacerbated by the fact that this was the second such incident affecting his state’s residents in the same month that had belatedly come to his attention.

And Blumenthal had already deemed the first incident — which affected “only” 19,000 health care providers — “one of the most sizable and significant” in the state’s history.

That loss involved a laptop that was stolen on Aug. 25 from Anthem Blue Cross Blue Shield that contained names, addresses, Social Security numbers and other information on providers (not patients). The laptop was not encrypted.

Full story