Health Net Breach Affects 1.9 MillionNine Server Drives Are Missing
If the total number of individuals affected holds up, the incident will be the largest reported so far under the HITECH Act breach notification rule, which went into effect in September 2009. It would surpass a recent health information breach at New York City Health and Hospitals Corp. that affected 1.7 million.
A Health Net spokesman was tight-lipped, offering no details on the number of individuals being notified. But the California Department of Managed Healthcare said in a release that 1.9 million were affected nationwide by the incident involving nine missing server drives. The department said those included more than 622,000 enrollees in Health Net products regulated by the department, more than 223,000 enrolled in California Department of Insurance products and others enrolled in Medicare.
The California agency has opened an investigation into the insurer's security practices.
Meanwhile, Connecticut Attorney General George Jepsen said in a statement about the Health Net incident that information on nearly 25,000 residents of that state "may have been compromised in a nationwide breach in early February."
Jepsen said he requested "detailed information about the status of the data breach, what steps the company has taken to protect affected individuals and what procedures have been adopted to prevent any other breaches of this kind."
A spokesperson for Jepsen's office said the incident affected individuals "in multiple states."
In the wake of a similar Health Net incident in May 2009, which involved the loss of a computer disk drive that affected up to 1.5 million consumers nationwide, former Connecticut Attorney General Richard Blumenthal last July reached a settlement with the insurer. Health Net agreed to a $250,000 payment and a corrective action plan. That case marked the first time a state attorney general filed a HIPAA civil lawsuit as enabled by the HITECH Act.
Health Net also was fined by the Connecticut Insurance Department and the Vermont attorney general in connection with that 2009 incident (See: Health Net Fined Again for Breach).
Details on New Breach IncidentIn a press release, Health Net said its investigation of the latest breach incident "follows notification by IBM, Health Net's vendor responsible for managing IT infrastructure, that it could not locate several server drives" at a data center in Rancho Cordova, Calif. "After a forensics analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives," the company stated. That information may include names, addresses, health information, Social Security numbers and/or financial information.
"While the investigation continues, Health Net has made the decision out of an abundance of caution to notify individuals whose information is on the drives," the company said. It's offering them "two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance."
An IBM spokesperson declined to provide further details, saying only, "IBM continues to assist Health Net with its investigation of unaccounted-for server drives."
The insurer provides health benefits to about 6 million individuals.
Breaches affecting 500 or more individuals must be reported to federal authorities and the individuals affected within 60 days under the HITECH Act breach notification rule. As of Tuesday morning, the Health Net breach was not yet on the federal list of major health information breaches. New incidents are added to the list once the HHS Office for Civil Rights confirms the details.