Six Month Failure to Give Notice of Unencrypted Data Loss Leads to Law Suit
January 28, 2010
by Michael Fleming
Discovery of a data security breach within a business, particularly one with highly regulated privacy and data security obligations such as a health insurance provider, will always lead to difficult and likely expensive consequences. Those difficulties are compounded when it is discovered that the exposed data was extensive, was highly private information regarding health and financial data of patients, and had not been encrypted. According to a lawsuit filed by the Connecticut Attorney General against Health Net, a health plan provider operating in the Northeast, this was the circumstance faced by Health Net in May 2009 when it learned that a portable disk drive containing patient data involving hundreds of thousands of patients and 27 million scanned pages could not be found. The Complaint states that an internal investigation soon revealed to Health Net that the data on the missing drive was unencrypted.
Yet, Health Net allegedly gave no notice of the breach, either to the affected patients or to law enforcement authorities, until November 2009 -- about six months after the problem was discovered. If true, this took a bad situation and made it much worse for Health Net.
The State of Connecticut sued Health Net under federal law, namely the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which was amended in 2009 to add an explicit data security breach notification obligation. The lawsuit also alleges violations of Connecticut state unfair business practices laws. The claims regard a failure to protect the data in the first place (essentially based on a failure to encrypt in addition to a failure to properly train its own employees on good data security practices), as well as a failure to promptly give notice to authorities and affected consumers once the breach had been discovered.
According to one news source, Health Net has recently offered all of the affected consumers the typical panoply of credit monitoring services and insurance against fraud and identity loss. The same source suggests this will do little to blunt what is likely to be a multi-million dollar fine to be paid to the state of Connecticut. Further, it was suggested that Connecticut may not be the only state that will sue; consumers in three other states were affected.
Apart from emphasizing the long-standing importance of creating and enforcing strong data security policies, procedures and training, the case is also a strong reminder of how breach notification obligations no longer allow impacted companies to withhold bad news. Once a company learns of a breach, the rapid response actions must include a detailed legal review of the numerous federal and state laws that may require notices to be delivered to consumers and law enforcement agencies. Failure to provide adequate breach notification can make an already difficult situation extremely harmful to the company’s reputation as well as its wallet.
This case also should grab the attention of the merger and acquisition crowd. In late 2009, Health Net was purchased by United Health Group. United Health apparently became aware of the May incident by late 2009 as it was pursuing its purchase of Health Net, as the Complaint notes that United Health had already acknowledged the breach to Connecticut regulators and that it would accept financial responsibility after it had purchased Health Net. This incident underscores the importance of deep examination of data security concerns before buying a business. A wise buyer will engage in thorough due diligence of the target company’s data security systems, policies and history before closing on the deal, and factor in the financial and reputational consequences of purchasing a company that has a data security problem. While that may be obvious when the target is a health care plan or provider, data security problems are present in many other scenarios, particularly where the target company has credit card or other financial data. Data security due diligence is no longer a luxury or an optional item, but is rapidly becoming the norm in almost every deal.
- Michael Fleming is a member of the Larkin Hoffman Daly & Lindgren Ltd. Intellectual Property, Technology and Internet Practice.