Health Net Agrees to $250,000 Fine and "Corrective Action Plan" to Settle Loss of PHI
It didn't take long for an Attorney General to latch onto Title XII of the American Recovery and Reinvestment Act of 2009 (a/k/a the Health Information Technology for Economic and Clinical Health Act [the HITECH Act]) in order to convince a covered entity to enter a data loss-related settlement. Indeed, Heath Net of the North East, Inc. and its various related affiliates (collectively, “Health Net”) consented to a Stipulated Judgment (Civ. No. 3:2010CV-00057(PCD)), available here, with the Connecticut Attorney General's Office and the State of Connecticut (the “Judgment”), which stands as the first example of a state Attorney General independently enforcing HIPAA violations since the HITECH Act authorized state attorneys general to do so.
Background.
The Judgment was the end result of a year and half long action brought by Connecticut Attorney General Richard Blumenthal (“CT AG”) on Jan. 13, 2010 against Health Net. (See Attorney Gen v. Health Net of NE Inc., et al., complaint available here).
The CT AG alleged Health Net was responsible for “failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and [for failing to] promptly notify consumers endangered by the security breach" because a terabyte portable hard disk had been either lost or stolen at Health Net's Shelton, CT offices. (See CT AG Press Release, available here). The disk was later determined to contain “27.7 million scanned pages of over 120 different types of documents such as insurance claims forms, membership forms, appeals and grievances, correspondence and medical records” of 1.5 million past and present members of Health Net administered plans, including 538,470 Connecticut residents. As the data on the disk was neither encrypted nor protected from access by unauthorized persons or third parties, this loss, according to the CT AG, violated HIPAA's security standards and privacy rules, as contained in HIPAA, as provided in 45 CFR 160 and 164 Subpart A, C and D. (See45 CFR 160, available here; 45 CRF 164, available here; see also, HITECH ACT, Sections 13402(a) and (b), available here).
The Complaint.
The Complaint claimed Health Net violated a litany of HIPAA provisions and:
“a. [] failed to ensure the confidentiality and integrity of electronic protected health information it created, receives, maintains, and transmits in violation of 45 CFR 164.306(a)(1).
b. Defendants failed to implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights in violation of 45 CFR 164.312(a)(1).
c. Defendants failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility to maintain their security in violation of 45 CFR 164.310(d)(1).
d. Defendants failed to implement policies and procedures to prevent, detect, contain, and correct security violations in violation of 45 CFR 164.308(a)(1).
e. Defendants failed to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity in violation of 45 CFR 164.308(a)(6)(ii).
f. Defendants failed to protect against any reasonably anticipated threats or hazards to the security or integrity of electronic protected health information in violation of 45 CFR 164.306(a)(2). Defendants failed to protect against any reasonably anticipated uses or
g. disclosures of electronic protected health information that are not permitted under the privacy rules regarding individually identifiable health information in violation of 45 CFR 164.306(a)(3).
h. Defendants failed to ensure compliance with the HIPAA security standard rules by its workforce in violation of 45 CFR 164.306(a)(4).
i. Defendants impermissibly and improperly used and disclosed protected health information that is and remains accessible to unauthorized persons in violation of 45 CFR 164.502 et seq.
j. Defendants failed to effectively train all members of its workforce (including independent contractors involved in the data breach) on the policies and procedures with respect to protected health information as necessary and appropriate for the members of its workforce to carry out their functions and to maintain security of protected health information in violation of 45 CFR 164.530(b) and 45 CFR 164.308(a)(5).
k. Defendants’ policies and procedures establishing physical and administrative safeguards were not adequately designed to appropriately and reasonably safeguard protected health information in violation of 45 CFR 164.530(c).
l. Defendants did not maintain an effective and appropriate sanctions policy for members of its workforce (both employees and independent contractors) who failed to comply with the policies and procedures for the protection and safeguarding of protected health information in violation of 45 CFR 164.530(e).”
In addition, the CT AG alleged Health Net's actions constituted unfair trade practices in violation of Conn. Gen. Stat. §42-110b (a/k/a “CUTPA”, with civil penalties of up to $5,000 per willful violation), and that the loss of the personal information was a “breach of security”, as defined by Conn. Gen. Stat. 36a-701b(a). Further, the Complaint alleged Health Net delayed disclosing the breach within the meaning of Conn. Gen. Stat. §36a-701b(b) (“Such disclosure shall be made without unreasonable delay . . . 1to identify the individuals affected, or to restore the reasonable integrity of the data system.”).
Finally, as relief, the CT AG sought: (a) a preliminary and permanent injunction from any further such violations by Health Net; (b) statutory damages for all violations (pursuant to 42 U.S.C. §1320-5(d)(1)(A)); (c) an injunction against further violations of CUTPA and Connecticut's data breach statute; (d) civil penalties pursuant to CUTPA; and, of course, (e) attorneys' fees.
The Judgment.
After a year and a half, with a docket replete with motions to extend the defendants' time to answer the complaint and motion for preliminary judgment, the action came to a sudden head in early July with the CT AG's “Motion for judgment upon stipulation” which in the course of two days was reviewed, approved and entered as the Judgment bringing the action to a close. (See Docket here).
The Judgment maps out a rather onerous plan of "Corrective Action" and details a variety of additional facts, beyond those in the Complaint, that serves as a warning beacon as to practices to avoid as well as those to consider and follow.
$7 Million and Counting. As if to confirm that data breaches are not only costly, but distracting, time consuming and sure to be splashed on the front pages, the Complaint notes Health Net during its investigation and response engaged at least three consultants at a cost, including presumably Health Net's own time and efforts, “exceeding $7,000,000 to investigate the circumstances surrounding the missing portable disk drive, to notify Health Net Members, and to offer credit monitoring services and identity theft insurance.” Judgment at 6. The consultants included: Kroll, Inc., to forensically recreate the disk and determine what the missing disk contained; Navigant Consulting, Inc., to datamine the recreated disk and identify Health Net members and Connecticut residents; and, finally, Debix, Inc., to notify the affected members, 538,470 Connecticut residents and run a “dedicated call center to address their questions and concerns, and to provide credit monitoring services....” Id. Anyone handling PHI should carefully weigh the above sobering list of costs in the face of any hesitation to purchase and install full disk encryption across the enterprise.
Disk Logs. In addition, one item that can be gleaned from this action, both from the Complaint and Judgment, is that any portable hard drives which could, conceivably, under any circumstances, contain PII or PHI, should be, according to the CT AG's office, set up such that the OS or suitable third party software creates and maintain a “log file of the collection and transfer of [] data transferred to the disk drive.” Id. at 7.
Why a log file? The Complaint noted that:
"when the disk was discovered missing, the defendant Health Net's failure to create a log file further increased the risk of disclosure of the protected health information … and constituted a breach of the defendant's obligation to safeguard the protected health information because the defendant did not readily have information as to the contents of the disk drive. As a consequence, the defendant Health Net replicated the entire creation of the disk drive, thus delaying efforts to safeguard or otherwise mitigate the data breach. ” Complaint at 5.
As a result, the inability to readily and quickly determine what a lost hard disk contains could appear to be viewed by the CT AG as potential negligence on the part of the data owner/maintainer/receiver in the event of any breach or loss, because the delay incurred in determining the disk's contents in the absence of a log hinders mitigation and notice efforts.
Corrective Action Plan. A substantial portion of the eighteen page Judgment is devoted to detailing the Corrective Action Plan (“CAP”) Health Net now operates under. And the ongoing costs, expenses and efforts of fulfilling this CAP will be added on top of the $7 million spent as of the Judgment. Notable items from the CAP include:
• Completion of notice sent to all members and Connecticut resident whose PI or PHI was on the disk. Judgment at 7-8;
• Two years of credit monitoring services through Debix that include credit monitoring by Transunion and credit restoration services for confirmed identity thefts, along with reimbursement for security freezes and credit unfreezes, plus $1,000,000 of “Personal Internet Identity insurance.” Judgment at 8-9;
• Agreeing to enhance its existing security privacy program to include hardware/software sitting between Health Net's email services and e-mail clients designed to identity email and attachments containing PHI or PI and to then “automatically encrypt email containing such identified information prior to transmission.” Id.;
• Installation of technology to restrict the transfer of PHI and PI to removable media sufficient to comply with HIPAA standards. Judgment at 9;
• Implementation of technology to identify where PHI and PI resides on its systems and that logs actual and attempted access to any such PHI and PI as well as logging when PHI/PI is uploaded or downloaded from a desktop or latop (with an start date for implementation of Oct. 1, 2010). Id.;
• The encryption of all laptop hard drives and all desktop hard drives. Id.;
• Improved IT oversight, including the creation of a “Information Security Analyst” assigned to each new IT project with assessment duties reporting directly to Health Net's Manager of Information Security. Judgment at 10.
• Requiring all “Business Associates”, as defined by HIPAA (see http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html; see also 45 CFR 160.103, available here), to execute “HIPAA compliant Business Associate Agreements”. Id. (See also my colleague Tanya Forsheit's series of FAQS on the Proposed Modifications to the HIPAA Rules - Part One here; Part Two here);
• Implementation of supplemental education and training of employees by the Information Security team on encryption, storage and removable media – with such training to be performed via Health Net's “online Learning Management System”. Id.;
• The requirement the Health Net's CIO includes “information security” as a regular agenda item on department's “Monthly IT All Hands” meetings. Id.;
• Requirement Health Net's IT dept to cover a “wide variety of information security topics in its monthly IT Awareness Newsletter” to be distributed to all employees. Judgment at 11;
• Providing all new employees with a one page laminated information sheet covering policies and procedures governing PHI protection. Id.;
• Showing all new employees during orientation a DVD detailing their expected information security responsibilities. Id.;
• Training all new employees on HIPAA privacy and security requirements, “including incident response procedures.” Id.;
• Conducting annual HIPAA training for all Health Net employees with electronic tracking of each employees completion of the training. Id.;
• Holding an annual “Compliance Awareness Week” for all employees to “emphasize the importance of proecting the privacy and security of PHI.” Judgment at 12;
• Providing semi-annual updates to its initial status report (no end date for these updates is provided in the Judgment) and compliance documentation as reasonably requested by the CT AG, with such documentation to be maintained for at least six years. Judgment at 13;
Further, the Judgment also provides Health Net is to pay $250,000 to the Connecticut General Fund with another $500,000 contingent payment to the State of Connecticut if Debix determines, before November 30, 2011, that any data on the missing disk was accessed and misused or any claims are made on Debix's insurance policy linked to misuse of the lost disk drive. Judgment at 13-14.
There's little doubt that while Connecticut's Attorney General has been the first to reach a settlement of this type the forty-nine other Attorneys General have taken notice. Stay tuned.
LINKS:
Complaint: http://tinyurl.com/ILG-HealthNet-Complaint
Stipulated Judgment: http://tinyurl.com/ILG-HealthNet-Judgment
Docket Report: http://tinyurl.com/ILG-HealthNet-Docket