As reported previously on this blog series, the requirements under HIPAA/HITECH and state statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches.
An earlier posting on November 2, 2010 in this blog series (the “2010 Posting”) reported that, on October 29, 2010, the Indiana Attorney General’s office announced in a press release (the “2010 Press Release”) that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General’s office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”
As reported by Ben Keller on DataGuidance.com from London, Indiana Attorney General Greg Zoeller announced on July 5, 2011, that WellPoint agreed to pay $100,000 after the company failed to notify customers and the state Attorney General "without unreasonable delay" of a data breach that occurred between October 2009 and March 2010. In response to a request by Mr. Keller to comment for the article, I was quoted as follows:
By settling with WellPoint Inc., the Attorney General of Indiana joins the Attorneys General of Connecticut and Vermont in recovering a substantial sum for the state. . . . [U]nlike Connecticut and Vermont, the Attorney General of Indiana however proceeded solely under a state law enacted by Indiana in 2009. With this variety of successes, it is likely that more Attorneys General will become aggressive in this area in the future.
This posting will endeavor to make some additional observations about the Indiana case. As reported in the 2010 Posting, the Connecticut case proceeded under the federal HIPAA/HITECH statute, while Mr. Zoeller proceeded only under an Indiana state law. Subsequent to the 2010 Posting, this blog series reported on a settlement in Vermont in January 2011 that was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts.
In summary, there have now been three reported settlements by Attorneys General for PHI security breaches:
(i) one that proceeded solely under the federal HIPAA/HITECH statute (Connecticut);
(ii) another that proceeded under both the federal HIPAA/HITECH statute and state law (Vermont); and
(iii) a third one that proceeded solely under state law (Indiana).
The 2010 Posting raised the question as to why Mr. Zoeller had proceeded only under the Indiana state law and not under HIPAA/HITECH as well. The press release issued by his office on July 5, 2011, about the WellPoint settlement sheds some light on the matter:
In 2009, Zoeller advocated for passing a new state law the Legislature enacted that session that now requires companies, in the event of a security breach, to notify consumers and the Attorney General’s Office without unreasonable delay. Companies who detect an internal breach should make a written disclosure to the Attorney General’s Identity Theft Unit.
It is clear that Mr. Zoeller wanted to achieve a successful result under the state statute for which he had personally urged passage. However, while the 2010 Posting reported that Mr. Zoeller was seeking $300,000 in civil penalties from WellPoint, he settled for $100,000 in penalties, plus, among other sanctions, the requirements that WellPoint provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach and that WellPoint reimburse any WellPoint consumer up to $50,000 for any losses that result from identity theft due to the breach.
As stated earlier, it can be expected that other attorneys general around the country will follow suit in investigating PHI security breaches and seeking civil monetary payments and other sanctions under HIPAA/HITECH and/or state law. Such actions can generate significant revenues for the state, act as a deterrent to others and generate positive media coverage for successful attorneys general.
Prompt, decisive and compliant action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches.