Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

First Ever State-initiated HIPAA Enforcement Action Settled

Posted in Legislation

Written by Dianne Bourque

Connecticut Attorney General Richard Blumenthal has settled the first state-initiated HIPAA enforcement action. The settlement totals $250,000 in statutory damages and Health Net’s agreement to implement a variety of measures to improve the security of consumer health and personal information. Health Net also agreed to provide two years of credit monitoring to affected individuals, $1 million of identity theft insurance and reimbursement for the costs of security freezes.

As we reported in this space, Blumenthal sued Health Net and its affiliates after they allegedly lost a computer disk drive in May 2009 containing protected health and other private information on more than 500,000 Connecticut residents and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information. Blumenthal also alleged that Health Net failed to promptly notify consumers endangered by the breach even after learning that the disk drive was stolen.
The Health Net case is the first action by a state attorney general for HIPAA violations since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

The full text of the settlement is available here:



Dianne Bourque

Dianne is an associate in the firm’s Health Law Section. She advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care.