Home > Property & Casualty > The cost of Health Net’s privacy and security breach

The cost of Health Net’s privacy and security breach

Health Net’s recent settlement with the Connecticut Attorney General shines a light on some of the noteworthy costs and risks of data breaches. It’s a sobering view.

In early July 2010, Health Net settled allegations by the Connecticut Attorney General that Health Net had violated its obligations under the HIPAA privacy and security rules. The settlement capped the first enforcement by a state Attorney General of HIPAA violations since such state enforcements were authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

According to the Connecticut AG, Health Net had made several errors. Health Net had at its offices a portable hard drive containing records of more than one million past and present members of health plans administered by Health Net. The data on the disk was not encrypted [Strike One!], nor was the data protected from access by unauthorized third parties [Strike Two!]. Health Net discovered that the portable hard drive was lost or stolen, but the Connecticut AG asserted that the company did not promptly notify the affected individuals that their records may have been compromised [Strike Three!]. There were several additional violations alleged, but these three reflect the core behavior at issue.

An interesting risk management lesson that may be learned from the situation is the importance of maintaining disk logs. The Connecticut AG seemed to place considerable importance on the absence of log files that tracked the collection and transfer of data to the disk drives. According to the complaint, the “failure to create a log file further increased the risk of disclosure of the protected health information … and constituted a breach of [Health Net’s] obligation to safeguard the protected health information because [Health Net] did not readily have information as to the contents of the disk drive. As a consequence, the defendant Health Net replicated the entire creation of the disk drive, thus delaying efforts to safeguard or otherwise mitigate the data breach.”

The case spent about a year and a half in the courts, with lawyers for both sides making and responding to several motions. Most of the motions appear to have involved Health Net’s requests for additional time to respond to the complaint. It seems clear that a great deal of forensic and legal investigation were involved — see the discussion below of the costs incurred by Health Net in the matter.

The July 2010 settlement had several components. Health Net paid a $250,000 fine and agreed to make a $500,000 contingent payment under certain circumstances, most notably if it is determined that data on the missing disk was accessed and misused. Health Net also agreed to undertake an extensive set of corrective actions. These include, among many other items:

  • The sending of notice to all individuals whose information was on the missing hard drive,
  • The provision of two years of credit monitoring services,
  • The provision of credit restoration services with respect to confirmed identity thefts,
  • Reimbursement for security freezes and credit unfreezes,
  • $1,000,000 of identity theft insurance,
  • Numerous technology implementations designed to protect data and restrict access to it,
  • Improved IT oversight,
  • Requiring all “Business Associates” (as defined by HIPAA) to sign business associate agreements that comply with HIPAA requirements,
  • Enhanced education and training of employees with respect to HIPAA and data security, and
  • Encryption of all computer hard drives.

Lessons Learned

The long list of corrective actions described above provides healthcare-related companies with a starting point for the kinds of risk management practices that should be considered with respect to the security of protected health information. That is certainly helpful.

Perhaps the most eye-opening aspect of this matter is the more than $7,000,000 that Health Net spent in investigating and responding to the breach. These expenses included the costs involved in hiring three different firms to help with the forensic investigation, identification and notification of affected individuals, the provision of credit monitoring services and identity theft insurance, and the staffing of a dedicated call center to answer questions and provide information. Note that these are out-of-pocket, “first-party” costs incurred by Health Net without regard to third-party claims (such as the claims by the Connecticut AG) against it.

While many commentators have noted that, so far, courts have been hostile to plaintiffs’ identity theft claims where there has been no actual identity theft but only the risk of such fraud, this matter shows that the potentially mammoth first-party costs of dealing with a data security breach can be sufficient to justify obtaining appropriate insurance coverage.

It is also important to note, however, that the mere presence of any insurance policy denominated as “cyberliability” might not be sufficient to protect a company from bearing full financial responsibility for the costs incurred in this type of situation. There were aspects of this matter that might well enable aggressive insurers to deny coverage with respect to many or most of the costs incurred by Health Net (the complaint and settlement do not indicate whether Health Net had insurance coverage).

Most cyberliability insurance policies have an “inadvertent” coverage gap that would have been implicated in this matter — but it is a coverage gap that virtually all insurers are willing to close if asked. The area of cyberliability insurance coverage is evolving rapidly, and insurance policy forms do not keep up with changes in the law or real-world claims experience. Insurers do not generally offer unilaterally to plug coverage gaps, however, so insurance buyers need to be diligent in negotiating coverage.

At considerable expense to itself, Health Net has provided a useful illustration of the before (preventative), during (mitigation) and after (corrective) aspects of dealing with data breaches.

  1. May 30, 2011 at 12:03 am

    Your guide was meaningful to me, It clarified up a lot of hard questions. Thanks a great amount

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s