Health Net Breach Tops Federal ListInvestigations of Incident Affecting 1.9 Million Continue
With the addition of the Health Net incident, the Department of Health and Human Services' Office for Civil Rights list of major breaches now totals 256 incidents affecting 10.2 million individuals. But the accounting of the number of individuals affected by any particular incident sometimes changes as OCR continues its investigations. The OCR list tracks incidents affecting 500 or more individuals that have occurred since September 2009, when the HITECH Act breach notification rule took effect.
The OCR listing of the Health Net incident portrays the type of breach as "unknown" and the location as "other." On Tuesday, a spokesman for the health insurance company again declined to offer any comment or details beyond those provided in a March 14 press release, which did not specify the number of individuals affected nor the breach-prevention action taken in the aftermath of the incident. The breach, discovered January 21, stemmed from missing server drives at a data center managed by IBM.
The Health Net incident calls attention to the need to check physical security measures as well as closely monitor business associates' policies and procedures, security experts say.
An IBM spokesman said earlier that it "continues to assist Health Net with its investigation of unaccounted-for server drives."
In addition to OCR, the California Department of Managed Healthcare, the California Department of Insurance, the Connecticut attorney general and now the Oregon Department of Consumer and Business Services' Division of Finance and Corporate Securities are investigating the breach.
Some 120,000 residents of Oregon were affected, a department spokesman confirmed Tuesday. More than 800,000 in California were affected, plus 40,000 in Washington state and 25,000 in Connecticut, authorities in those states have revealed. It's unclear what other states' residents were affected.
The January incident marks the second time Health Net has reported a major health information breach stemming from a missing drive.
In the wake of a similar incident in May 2009, which involved the loss of a computer disk drive that affected up to 1.5 million consumers nationwide, former Connecticut Attorney General Richard Blumenthal last July reached a settlement with the insurer. Health Net agreed to a $250,000 payment and a corrective action plan. That case marked the first time a state attorney general filed a HIPAA civil lawsuit as enabled by the HITECH Act.
Health Net also was fined by the Connecticut Insurance Department and the Vermont attorney general in connection with that 2009 incident (See: Health Net Fined Again for Breach).
Building Consumer ConfidenceSecurity expert Kate Borten, president of The Marblehead Group, commented on Health Net's communication approach: "As a consumer, I would have more confidence in my health plan or provider's commitment to privacy and security if more details are provided - both about how the breach occurred and about how the organization is taking steps to reduce the risk of a repeat breach," she said. "I have no insight into why Health Net is not more forthcoming, but they may be gun shy, given their previous breach and the fact that this breach is currently under investigation by several government agencies."
Because of the lack of details about the incident, it's not clear how security at the data center failed, Borten noted. "Certainly, physical security is critical to protecting a data center's network, systems and information assets. Locks, cameras, and other physical security techniques should be in use. Only individuals with a need to enter should be permitted, and physical entry/exit logs should be kept and reviewed."
Security consultant Rebecca Herold, owner of Rebecca Herold & Associates, stressed, "Health Net, and every other organization, needs to follow due diligence actions to ensure that every third party they have contracted with has appropriate safeguards in place. When you outsource business activities to a third party, you do not also outsource responsibility. You must follow effective, comprehensive procedures before deciding to outsource to a specific organization, and then you need to perform various types of ongoing activities ... to ensure they stay in compliance."
Key steps in vendor management, Herold said, include performing a compliance audit or risk assessment and then establishing a way to continually monitor "how well they are maintaining their compliance program."
Kathryn Roe, an attorney with the The Health Law Consultancy, said every healthcare organization "needs to be prepared with a communication strategy - and a checklist to implement it - well before the organization or one of its business associate vendors experiences a data breach. That means think carefully and in advance about the structure and terms of the organization's arrangements with its business associates. An organization shouldn't let its best laid plans for communication about a breach get derailed because its business associate was not prepared to manage or effectively communicate to or for the organization the details about the vendor's data breach."
Roe also advised healthcare organizations to "assess their business associates' security postures, including encryption and other security measures and controls implemented, before the business relationship begins as well as periodically during the business relationship."
A decision on whether to encrypt server drives depends on the risks involved, Herold said. "If a third party is housing your servers and drives, along with those belonging to a large number of other organizations, then your risks have increased significantly from if you housed the servers and drives within your own secured walls, handled by your own workers," she said. "If they do not have your servers and storage media in a separate, secured area, then it would likely be a good idea to encrypt the data on the servers."
Borten said that if appropriate physical security measures are taken, "it is not necessarily common in healthcare, or a best practice, to encrypt drives that aren't going anywhere." For server drives in a data center with tight physical security, the decision to encrypt depends, in large part, "on the type and level of electronic access to the data," she said.
Health Net StatementIn its March 14 press release posted on its website, Health Net said its investigation of the January breach incident "follows notification by IBM, Health Net's vendor responsible for managing IT infrastructure, that it could not locate several server drives" at a data center in Rancho Cordova, Calif. "After a forensics analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives," the company stated. That information may include names, addresses, health information, Social Security numbers and/or financial information.
Health Net is offering those who may have been affected "two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance."