Licensed insurers and brokers in Connecticut must notify state regulators within five days of any data breaches involving personal information on policyholders and others.
Insurance Commissioner Thomas R. Sullivan recently issued a bulletin declaring the strict notification policy.
Bestwire.com reports the bulletin may be the first of its kind by a state insurance regulator, said Ed Goodman, chief privacy officer of Identity Theft 911, an Arizona-based business-to-business identity theft and data breach management service. Others will likely follow, he said.
“The bulletin is in response to some recent data breaches, which were not reported in what we believe to be a timely manner,” state Insurance Department spokeswoman Dawn McDaniel said.
In July, Health Net and its affiliates agreed to pay $250,000 for failing to secure the private patient medical records and financial information of some 500,000 Connecticut enrollees, under an action taken by Connecticut Attorney General Richard Blumenthal.
The settlement marked the first action by a state attorney general for violations of the federal Health Insurance Portability and Accountability Act of 1996 since the Health Information Technology for Economic and Clinical Health Act authorized state attorneys general to enforce HIPAA.
In June, Anthem Blue Cross in California, a unit of WellPoint Inc. alerted an estimated 230,000 applicants for coverage that their personal medical records and Social Security numbers may have been wrongfully accessed.
Earlier this year, BlueCross BlueShield of Tennessee found itself facing $10 million in costs due to the theft of computer hard drives containing personal data affecting nearly 1 million members. Costs included a new security assessment and free third-party credit monitoring and free identity theft protection to 239,103 members whose Social Security numbers were exposed.
