The first action by a state Attorney General for violation of HIPAA (after HITECH authorized State Attorneys General to enforce HIPAA) has resulted in an unprecedented money settlement with the AG’s office. The case involved unreported loss of a compact disk by Health Net containing private medical records, social security numbers and financial information. While the settlement amount of $250,000 by itself may not do much damage to a company the size of Health Net, the consequences of the exposure are likely to be quite adverse.
This case sends out a strong message to all those in control of sensitive data, about their responsibilities to protect confidential information. It once again reinforces the importance of compliance with security standards and the need for secure GRC solutions. The disk that was lost is said to have contained some of the most personal, intimate patient information, which is capable of causing grave embarrassment to individuals, financial harm and identity theft.
Health and financial institutions, which are in control of the most sensitive data, should therefore take necessary steps to put in place, a comprehensive compliance management system as a preventive measure to avoid any kind security breach.