Health Net Breach Affects 1.9 Million

Nine Server Drives Are Missing
Health Net Breach Affects 1.9 Million
Insurer Health Net is notifying 1.9 million individuals nationwide that their healthcare and personal information may have been breached as a result of nine server drives missing from a California data center managed by IBM.

If the total number of individuals affected holds up, the incident will be the largest reported so far under the HITECH Act breach notification rule, which went into effect in September 2009. It would surpass a recent health information breach at New York City Health and Hospitals Corp. that affected 1.7 million.

A Health Net spokesman was tight-lipped, offering no details on the number of individuals being notified. But the California Department of Managed Healthcare said in a release that 1.9 million were affected nationwide by the incident involving nine missing server drives. The department said those included more than 622,000 enrollees in Health Net products regulated by the department, more than 223,000 enrolled in California Department of Insurance products and others enrolled in Medicare.

The California agency has opened an investigation into the insurer's security practices.

Meanwhile, Connecticut Attorney General George Jepsen said in a statement about the Health Net incident that information on nearly 25,000 residents of that state "may have been compromised in a nationwide breach in early February."

Jepsen said he requested "detailed information about the status of the data breach, what steps the company has taken to protect affected individuals and what procedures have been adopted to prevent any other breaches of this kind."

A spokesperson for Jepsen's office said the incident affected individuals "in multiple states."

In the wake of a similar Health Net incident in May 2009, which involved the loss of a computer disk drive that affected up to 1.5 million consumers nationwide, former Connecticut Attorney General Richard Blumenthal last July reached a settlement with the insurer. Health Net agreed to a $250,000 payment and a corrective action plan. That case marked the first time a state attorney general filed a HIPAA civil lawsuit as enabled by the HITECH Act.

Health Net also was fined by the Connecticut Insurance Department and the Vermont attorney general in connection with that 2009 incident (See: Health Net Fined Again for Breach).

Details on New Breach Incident

In a press release, Health Net said its investigation of the latest breach incident "follows notification by IBM, Health Net's vendor responsible for managing IT infrastructure, that it could not locate several server drives" at a data center in Rancho Cordova, Calif. "After a forensics analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives," the company stated. That information may include names, addresses, health information, Social Security numbers and/or financial information.

"While the investigation continues, Health Net has made the decision out of an abundance of caution to notify individuals whose information is on the drives," the company said. It's offering them "two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance."

An IBM spokesperson declined to provide further details, saying only, "IBM continues to assist Health Net with its investigation of unaccounted-for server drives."

The insurer provides health benefits to about 6 million individuals.

Breaches affecting 500 or more individuals must be reported to federal authorities and the individuals affected within 60 days under the HITECH Act breach notification rule. As of Tuesday morning, the Health Net breach was not yet on the federal list of major health information breaches. New incidents are added to the list once the HHS Office for Civil Rights confirms the details.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.