The health insurer, which has a Northeast headquarters in Shelton, had a portable, external hard drive go missing in May, though it's not clear if it was lost or stolen. The company reported the lost records in November after a six-month internal investigation.
The drive contained medical claims and financial information of up to 1.5 million customers, mostly in the Northeast, dating to 2002, including 446,000 in Connecticut. Information on the drive is stored as images that require specialized software to open, but is not encrypted.
Blumenthal's office said the lost records are a violation of HIPAA, the Health Insurance Portability and Accountability Act of 1996, and is seeking a court order to require the company to encrypt all information placed on a portable device.
The attorney general's office says this is believed to be the first instance in which a state attorney general has enforced HIPAA since state attorneys general were given that right through the Health Information Technology for Economic and Clinical Health Act of 2009.
"Sadly, this case is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "Protected private medical records and financial information on almost a half-million Health Net enrollees in Connecticut were exposed for at least six months — most likely by thieves — before Health Net notified appropriate authorities and consumers."
Health Net officials hired an independent computer company, Kroll, to assess the amount and nature of the information on the hard drive. When the results of that research were in, the company reported the data breach. Last month, the attorney general's office said Kroll determined that two laptops were stolen from Health Net's Shelton facility around the same time the hard drive went missing.
Renewal rights to Health Net's membership rolls in Connecticut, New Jersey and New York were acquired last month by UnitedHealthcare. The transaction was approved by state Insurance Commissioner Thomas Sullivan, although Blumenthal is still investigating the acquisition that he has said causes "excessive concentration in some segments of the health insurance market."