On Monday, March 14, the insurer posted a cryptic press release about the breach incident apparently shortly after the Connecticut attorney general's office released a statement calling attention to its investigation of the breach. The California Department of Managed Care and the state's Department of Insurance also announced their own investigations.
Health Net's press release failed to point out how many people may have been affected by the breach, which stemmed from server drives missing from a California data center managed by IBM. The release didn't even say how many drives were involved or when the incident took place, although a hotline recording for those affected noted that IBM notified the insurer January 21 that the drives were missing. And a company spokesman declined to discuss the incident with journalists.
If your organization experiences a breach, it's far better that you reveal to everyone as many confirmed details as you can, rather than leaving that task to the agencies that investigate breaches and impose sanctions.
That reluctance to share much information is puzzling, given that the insurer has to report all the details to state authorities as well as the HHS Office for Civil Rights, which posts major health information breaches on its website.
Health Net's tight-lipped approach clearly didn't prevent more details from being revealed. The California Department of Managed Care announced on Monday that the insurer's nine missing drives contained information on 1.9 million individuals nationwide.
There's an important lesson here. If your organization experiences a breach, it's far better that you reveal to everyone as many confirmed details as you can, rather than leaving that task to the agencies that investigate breaches and impose sanctions.
A good model for this approach is BlueCross and BlueShield of Tennessee, which provided detailed, frequent updates on its website about a breach incident. That breach involved unencrypted hard drives stolen from a shuttered call center.
At least Health Net took the appropriate step of offering two years' worth of free credit monitoring services to all those who might have been affected.
Breach Prevention Lessons?Because we still don't know exactly what happened in the Health Net breach, we can't say, for certain, what steps might have prevented it.
The drives apparently weren't encrypted, or the incident would not have been reported. But what about physical security measures at the data center? Or training of personnel who worked there? And what about the relationship between Health Net and its business associate, IBM? Did the insurer carefully monitor IBM's management of the data center and spell out expectations in a business associate agreement? We may never know.
The Health Net incident, along with several others, including the Tennessee breach and the recent New York City Health and Hospitals Corp. incident, point to the need to make sure you're doing all you can to adequately protect storage media.
Last May, BlueCross BlueShield of Tennessee executives offered a summary of the actions it had taken and the lessons it had learned in the wake of its breach incident. That list is worth revisiting:
- Communicate frequent updates on breach investigations through the media and a website.
- Adding a layer of physical security to protect servers is a prudent step.
- Encryption should be applied widely, including on servers.
- Appointing a chief security officer helps to ensure coordination of all security efforts.
- Organizations should carefully assess how long to store information.
- In preparing a breach notification plan, be sure to prepare a pre-selected list of vendors that can help with various tasks.
- Train customer service representatives to deal with breach-related questions from the public.