DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Vermont Attorney General Settles Security Breach Allegations Against Health Net

Posted on January 20, 2011 by Dissent

Attorney General William Sorrell filed a complaint and proposed settlement Friday with Health Net, Inc., and Health Net of the Northeast, Inc., regarding the health insurance company’s loss of an unencrypted portable hard drive containing protected health information. The complaint alleges violations of HIPAA (the Health Insurance Portability and Accountability Act), Vermont’s Security Breach Notice Act, and Consumer Fraud Act. The settlement requires the defendants to pay $55,000 to the State, submit to a data-security audit, and file reports with the State regarding the company’s information security programs for the next two years.

“Consumers expect – and the law requires – that personal information be treated with the utmost care,” said Attorney General William Sorrell. “Identity theft remains one of the fastest growing crimes in America. Companies must be careful to prevent Vermonters’ sensitive information, especially their medical records, from falling into the wrong hands.”

The lawsuit is Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009. The case arises from a portable hard drive that contained protected health information, social security numbers, and financial information of approximately 1.5 million people, including 525 Vermonters. Health Net discovered that the drive was missing on May 14, 2009 and did not start notifying affected Vermont residents until more than six month later. When it did notify Vermont residents, Health Net told them that it believed their risk of harm was “low” because “the files on the missing drive were not saved in a format that can be easily accessible.” The files on the unencrypted drive were in TIF (Tagged Image File) format, which can be viewed using a variety of freely available software.

The complaint alleges that Health Net’s six month delay in notifying Vermont residents violates the Security Breach Notice Act. That law requires data collectors to notify affected individuals of security breaches “in the most expedient time possible and without unreasonable delay.” The complaint further alleges that Health Net violated HIPAA by failing to secure protected health information, and that the company violated the Consumer Fraud Act by misrepresenting the risk posed to affected individuals in the company’s notice letters.

The complaint and proposed consent decree were filed in the U.S. District Court for the District of Vermont. The consent decree must be approved by a judge before it takes effect. Health Net, Inc., and Health Net of the Northeast, Inc., cooperated with the Vermont Attorney General’s investigation of this matter and have settled similar actions in Connecticut and New York.

Source: Attorney General William Sorrell

No related posts.

Category: Health Data

Post navigation

← (follow-up) Junior doctor's stolen laptop: files had been emailed
Nurse Fired for Snooping in Tiger Woods' Records Files Defamation Suit →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.