On January 18, 2011, Vermont Attorney General William Sorrell announced a settlement with HealthNet, Inc. and Health Net of the Northeast, Inc. over allegations that the company violated the state’s data breach notification law when the company waited over six months to notify state residents of the loss of a portable hard drive that contained their unencrypted personal information. The Attorney General’s settlement, the first under Vermont’s Security Breach Notice Act, demonstrates that, in the opinion of the Vermont Attorney General, even in the frozen North a six-month gap between the discovery of a breach and notice to individuals cannot be reconciled with the Act’s requirement to notify individuals “in the most expedient time possible and without unreasonable delay.”

The lengthy delay between discovery of the lost hard drive and individual notifications was not the only thing Sorrell found to be wrong with HealthNet’s response to the May 2009 breach, however. Vermont’s Attorney General also claimed that HealthNet violated the federal Health Insurance Portability and Accountability Act (“HIPAA”) by failing to secure protected health information and the state’s Consumer Fraud Act by misrepresenting, in its letters to individuals, the risk posed by the breach. In those letters, HealthNet told individuals that the risk of harm to them was “low” because the files were saved in a format that could not be easily accessed when, in reality, the files were saved in the relatively easily viewable TIF format.

The Vermont Attorney General’s settlement with HealthNet, which the U.S. District Court for the District of Vermont approved on January 21, 2011, requires the company to pay $55,000 to the State, submit to a data-security audit, and file reports with the State regarding the company’s information security programs for the next two years.

The HealthNet settlement is an important reminder that the unpleasantness of a security breach is only compounded by a poor response. If you have not already done so, the time for establishing a comprehensive breach response plan is now!