Posted on July 18, 2011 by Alain Leibman

The Parade of PHI Security Breaches: WellPoint Finally Settles with the Attorney General of Indiana

As reported previously on this blog series, the requirements under HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches.

An earlier posting on December 13, 2010 (the “2010 Posting”) reported that, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “2010 Press Release”) that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

As reported by Ben Keller from London, Indiana Attorney General Greg Zoeller announced on July 5, 2011 in a press release (the “2011 Press Release”) that WellPoint agreed to pay $100,000 after the company failed to notify customers and the state Attorney General “without unreasonable delay” of a data breach that occurred between October 2009 and March 2010. In response to a request by Mr. Keller to comment for the article, I was quoted as follows:

By settling with WellPoint Inc., the Attorney General of Indiana joins the Attorneys General of Connecticut and Vermont in recovering a substantial sum for the state. . . . [U]nlike Connecticut and Vermont, the Attorney General of Indiana however proceeded solely under a state law enacted by Indiana in 2009. With this variety of successes, it is likely that more Attorneys General will become aggressive in this area in the future.

This posting will endeavor to make some additional observations about the Indiana case. As reported in the 2010 Posting, the Connecticut case proceeded under the federal HIPAA/HITECH statute, while Mr. Zoeller proceeded only under an Indiana state law. Subsequent to the 2010 Posting, this blog series reported on a settlement in Vermont in January 2011 that was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts.

In summary, there have now been three reported settlements by Attorneys General for PHI security breaches:

(i) one that proceeded solely under the federal HIPAA/HITECH statute (Connecticut);

(ii) another that proceeded under both the federal HIPAA/HITECH statute and state law (Vermont); and

(iii) a third one that proceeded solely under state law (Indiana).

The 2010 Posting also raised the question as to why Mr. Zoeller had proceeded only under the Indiana state law and not under HIPAA/HITECH as well. The 2011 Press Release sheds some light on the matter:

In 2009, Zoeller advocated for passing a new state law the Legislature enacted that session that now requires companies, in the event of a security breach, to notify consumers and the Attorney General's Office without unreasonable delay. Companies who detect an internal breach should make a written disclosure to the Attorney General's Identity Theft Unit.

It is clear that Mr. Zoeller wanted to achieve a successful result under the state statute for which he had personally urged passage. However, while the 2010 Posting reported that Mr. Zoeller was seeking $300,000 in civil penalties from WellPoint, he settled for $100,000 in penalties, plus, among other sanctions, the requirements that WellPoint provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach and that WellPoint reimburse any WellPoint consumer up to $50,000 for any losses that result from identity theft due to the breach.

As stated earlier, it can be expected that other attorneys general around the country will follow suit in vigorously investigating PHI security breaches and seeking civil monetary payments and other sanctions under HIPAA/HITECH and/or state law. Such actions can generate revenues for the state, act as a deterrent to others and generate positive media coverage for successful attorneys general.

Prompt, decisive and compliant action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches.
 

(Michael J. Kline, the author of this entry and a co-author of this blog, is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics.)

Tags: , , , , , , , , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on January 28, 2011 by Alain Leibman

The Parade of PHI Security Breaches: Escalating Enforcement Activity by State Attorneys General - Most Recently in Vermont

As reported previously on this blog (here and here) relative to cases brought by former Connecticut Attorney General Richard Blumenthal  (the “Connecticut Action”) and Indiana Attorney General Greg Zoeller (the “Indiana Action”), the HIPAA/HITECH statutes and regulations regarding public disclosure of security breaches of Protected Health Information (“PHI”) have encouraged direct intervention by state attorneys general with respect to such breaches. The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. It was also pointed out in the earlier blog postings that nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches.

On January 18, 2011, Attorney General William Sorrell of Vermont and his office (collectively, the “Vermont Attorney General”) announced in a press release (the “Press Release”) that it had settled a lawsuit (the “Vermont Action”), by means of a consent decree which requires court approval, against Health Net, Inc., and Health Net of the Northeast, Inc. (collectively, “Health Net”). The Vermont Action involves a number of the same issues to which the Connecticut Action
against Health Net related, including an alleged failure to promptly notify consumers endangered by the breach.

The settlement in the Vermont Action (the “Vermont Settlement”) would require Health Net to pay $55,000 to Vermont, submit to a data-security audit, and file reports with Vermont regarding information security programs for the next two years. Presumably the lower settlement amount in Vermont is attributable to the fact that, as the Press Release stated, 525 Vermonters were affected by the alleged PHI security breach, which may be contrasted to nearly 500,000 Connecticut enrollees that were the subject of the Connecticut Action.

Significantly, the Vermont Action, which was filed in the U.S. District Court for the District of Vermont, unlike the Connecticut Action and the Indiana Action, was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. The Press Release stated that the Vermont Settlement is “Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009.”

So far, state attorneys general have limited their enforcement activity under HIPAA/HITECH to cases where alleged unreasonable and lengthy delays in notifying affected individuals by insurers were present. Insurers may be attractive targets because they are perceived by the public as large, highly profitable and relatively faceless entities. It will be interesting to see when the first lawsuit is filed by an attorney general against a provider, such as a physician practice group or community hospital and what is the basis for such a lawsuit.

In any event, it can be expected that other attorneys general around the country will heighten their investigations of PHI security breaches and seek civil monetary payments under HIPAA/HITECH and/or state law. Perhaps more will even be heard from attorneys general who believe that citizens of their respective states have been affected by the alleged Health Net and/or Wellpoint PHI security breaches.

Prompt, decisive and positive action is required of providers, as well as insurers, to limit potential damages, rehabilitate relations with clients and the public reduce the likelihood of litigation and penalties.
 

(With appreciation to Michael J. Kline, Esq., the author of this entry and a co-author of this blog.  Mr. Kline is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics.)

Tags: , , , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on December 13, 2010 by Alain Leibman

The Parade of PHI Security Breaches: Escalating Enforcement Activity by Attorneys General - Most Recently in Indiana

As reported previously on this blog, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches.

The earlier posting reported that Richard Blumenthal, Attorney General, and now United States Senator-elect, in Connecticut, has been especially prominent in investigating PHI security breaches affecting individuals in his state. He also distinguished himself by successfully recovering for Connecticut the first state settlement for PHI security breaches under HIPAA/HITECH in an amount of $250,000.

The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations.

It was pointed out in the earlier blog posting that nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches. In this regard, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “Press Release”) that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

Significantly, the lawsuit, which seeks $300,000 in civil penalties, is not being brought under HIPAA/HITECH but, according to the Press Release, under Indiana state law, which “requires businesses to notify both the individuals potentially affected by a data breach, as well as the Attorney General's office without unreasonable delay.”

According to the Press Release, WellPoint was notified as early as February 22, 2010 and again on March 8, 2010 that health insurance application records containing personal information, such as social security numbers, financial information and health records, were accessible through its public website. However, Greg Zoeller, the Indiana Attorney General, alleges that WellPoint did not begin notifying customers of the security breach until June 18, 2010 (over 100 days after WellPoint reportedly learned of the breach). The Press Release continues that, following news reports of the breach, the Attorney General's office submitted an inquiry to WellPoint and received a response on July 30, 2010 (at least 144 days after WellPoint reportedly learned of the breach). The Press Release states that the WellPoint “delays in notice both to customers and to the Attorney General's office are considered unreasonable.”

Significantly, HIPAA/HITECH has a more objective and rigid standard than the “unreasonable delay” of the Indiana statute. Under HIPAA/HITECH, the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” [Emphasis supplied] WellPoint would clearly not be within the 60-day limit for notification under the HIPAA/HITECH requirements.

It is not clear what led Mr. Zoeller to determine to proceed under state law rather than HIPAA/HITECH, especially given the objective outside limit of 60 days under HIPAA/HITECH and the abovementioned success of Mr. Blumenthal in Connecticut. Perhaps the decision was made in order to bring the action in the Indiana state courts rather than the federal courts, or there are facts and circumstances that may favor use of the state law. It is also possible that the Indiana Attorney General may want to reserve the possibility of proceeding in the federal courts under HIPAA/HITECH later in the event that the current state action does not proceed favorably.

In any event, it can be expected that other attorneys general around the country will follow suit in vigorously investigating PHI security breaches and seeking civil monetary payments under HIPAA/HITECH and/or state law. In this regard, it will be interesting to see how the attorneys general will exercise their discretion in selecting entities from whom they will seek penalties. The two reported cases in Connecticut and Indiana deal with HealthNet and Wellpoint, respectively, which are insurers, not providers. As a political and media matter, insurers would appear to be much safer targets than highly respected non-profit teaching or community hospitals or small physician practices.

Nonetheless, both insurers and providers must be on constant alert to minimize fallout if a PHI security breach occurs. Prompt, decisive and positive action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for undue delay in notification of PHI security breaches.

(With appreciation to Michael J. Kline, Esq., the author of this entry and the author of an on-going analysis on this blog site of the concerns of Madoff stakeholders. Mr. Kline is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics.)

 

Tags: , , , , , , , , , , , ,
  • Print
  • Share Link