Health Net breach highlights weaknesses in state-level breach laws

While affected Connecticut residents and authorities are understandably upset about the recently reported loss by regional health plan provider Health Net of personal information on all 446,000 Connecticut customers served by the plan, the six-month delay by the company in making the breach public is seen as especially egregious. Connecticut has had a breach disclosure law on the books since 2006, but the statute does not have an explicit timeframe in which disclosure must occur, instead saying only that “disclosure shall be made without unreasonable delay” (699 Gen. Stat. Conn. §36a-701b). The law also includes a provision by which disclosure is not required if it can be determined that breach is not likely to result in harm to the individuals whose information has been lost, but this exception still requires notification of and consultation with appropriate government authorities to arrive at the determination that no harm will done. It appears that Health Net did not follow the spirit of the law in either context, and given the company’s conclusion that the data — contained on a portable disk drive and stored in a format proprietary to an application that Health Net used to access the data — was not encrypted and therefore could probably be read by someone who acquired it.

This incident occurred before the federal data breach disclosure provisions of the HITECH Act went into effect (Connecticut’s law is not limited to health information, but includes all personal information), but under those rules Health Net would be subject to federal penalties as well as any punitive action taken at the state level. The health data breach disclosure rules use the same “without unreasonable delay” language found in the Connecticut statute, but add a maximum time of 60 days from the date the breach is discovered (74 Fed. Reg. 42749 (2009)). Of course, the federal rules also include a harm exception like the one Connecticut has, so there are limits to the extent to which federal-level regulations remove subjectivity surrounding data breach disclosures, but the Health Net example serves to highlight the need for specificity in statutes to eliminate some of the room to equivocate that data-losing organizations now have.