Numerous data breaches and computer intrusions have been disclosed by the nation’s largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Internet businesses. A data breach may occur when there is a loss or theft of, or other unauthorized access to, data containing sensitive personal information that results in the potential compromise of the confidentiality or integrity of data. Sensitive personal information generally includes an individual’s name, address, or telephone number, in conjunction with the individual’s Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password. Breach notification laws enacted by many states require the disclosure of security breaches involving sensitive personal information (Stevens, 2008).
The story of Health Net of Connecticut ("Health Net") is instructive.
In May 2009, Health Net discovered that it had lost a computer hard drive containing the personal health information of approximately 500,000 Connecticut residents. In January 2010, the State of Connecticut commenced a lawsuit against Health Net alleging that it had failed in a timely manner to notify residents and state authorities on this data security breach incident. The suit alleged violations of the Health Insurance Portability and Accountability Act ("HIPAA"), the Connecticut data breach law and the Connecticut Unfair Trade Practice Act. Under the terms of a stipulated judgment entered into on July 6, 2010, Health Net agreed to pay $250,000 in penalties and implement a corrective action plan.
In November 2010, the Connecticut Insurance Department and Health Net settled a separate enforcement action commenced against Health Net arising out of the same data security breach incident. Under the terms of that settlement agreement, Health Net agreed to pay $350,000 in penalties and to provide two years of credit monitoring protection to persons affected by the data breach.
Shortly thereafter, on January 18, 2011, the State of Vermont settled an enforcement action against two affiliates of Health Net (Health Net, Inc. and Health Net of the Northeast, Inc.) arising out of the same data security breach incident, which had also affected approximately 525 Vermont residents. That suit alleged violations of HIPAA, Vermont's Security Breach Notice Act, and Vermont's Consumer Fraud Act. Under the terms of the consent decree, Health Net was assessed $55,000 in penalties and agreed to submit to a data security audit and to file reports with the State of Vermont for two years.
As if all of the above fall-out were not enough, within days of the State of Vermont settlement, Health Net experienced yet another data security breach incident, this time affecting 1.9 million current and former members (including 845,000 Californians) stemming from loss of nine hard drives from its California data center. Health Net was made aware of the missing information on January 21, 2011, and it began notifying affected individuals on March 14, 2011. The California Department of Insurance has launched an investigation (Guffin, 2012).
Recognizing the injurious effect that security breaches can have on individuals and corporations, both the federal government and state legislatures have passed measures requiring the disclosure of information related to security breaches, and more legislation may be forthcoming(Fordham Law Review, 2006).
Ten of the Top Data Breaches of the Decade
Heartland Payment Systems -- 2009
In what has been called the largest credit card crime of all time, in 2009, Heartland Payment Systems announced that hackers had broken into the computers it uses to process about 100 million transactions each month for 175,000 merchants.
Heartland, which is based in Princeton, New Jersey, processes card payments for restaurants and other businesses. The...