Health Net Breach Impact Grows

Incident Tops OCR's List of Major Breaches
Health Net Breach Impact Grows
The Health Net Inc. breach that was believed to have affected about 2 million individuals may be larger than originally stated.

The insurer originally said that 2 million people nationwide were affected, 124,000 of those in Oregon. But Health Net Oregon president Chris Ellertson said in an e-mail to the Oregon Insurance Division last month that an additional 6,300 Oregonians were affected by the breach, bringing the total number to 130,000 for Oregon, according to an article from The Oregonian.

Personal information affected included names, addresses, social security numbers and health and financial information.

James Woys, Health Net's chief operating officer, sent an apology to customers in a letter dated July 27. "We have recently discovered that there was an error in the data analysis and your SSN was included on the unaccounted for drivers," he wrote. "We sincerely apologize for this mistake."

The breach, which was discovered Jan. 21, stemmed from missing server drives at a data center managed by IBM.

The Health Net breach still tops the list of major breaches by the Department of Health and Human Services' Office for Civil Rights [See: Health Net Breach Tops Federal List].

The OCR list tracks incidents affecting 500 or more individuals that have occurred since September 2009, when the HITECH Act breach notification rule took effect.

In its March 14 press release posted on its website, Health Net said its investigation of the January breach incident "follows notification by IBM, Health Net's vendor responsible for managing IT infrastructure, that it could not locate several server drives" at a data center in Rancho Cordova, Calif. "After a forensics analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives," the company stated. That information may include names, addresses, health information, Social Security numbers and/or financial information.

Health Net is offering those who may have been affected "two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance."

As a result of the breach, multiple investigations are underway. In addition to OCR, the California Department of Managed Healthcare, the California Department of Insurance, the Connecticut attorney general and now the Oregon Department of Consumer and Business Services' Division of Finance and Corporate Securities are investigating the incident.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network