Health Net Criticized For Data Loss Notification Delay

Nine computer drives containing personal data on nearly 2 million customers, employees, and healthcare providers apparently went missing Jan. 21, but the managed care organization didn't reveal the loss until March 14.

Nicole Lewis, Contributor

March 17, 2011

5 Min Read
Dark Reading logo in a gray background | Dark Reading

10 Massive Security Breaches

10 Massive Security Breaches


(click image for larger view)
Slideshow: 10 Massive Security Breaches

Health Net, one of the nation's largest managed care providers, has come under fire for failing to quickly disclose that nine computer drives are missing, drives that contain health and other personal data on nearly 2 million customers, employees, and healthcare providers. It appears that Health Net was told on Jan. 21 that the drives went missing from its data center in Rancho Cordova, Calif., but didn't reveal the loss until March 14.

State officials in California and Connecticut have launched investigations into the data loss and Health Net's security procedures and policies. It is the second time in two years that Health Net has suffered a major loss of customer data.

The missing drives contained "personal information of some former and current Health Net members, employees, and healthcare providers, [which] may include names, addresses, health information, Social Security numbers, and/or financial information," the company said in a statement.

Health Net said on its data breach hotline that IBM, which manages the company's IT infrastructure, told it about the missing drives on Jan. 21, according to a story in the San Diego Union Tribune and other news stories. By Wednesday evening, the hotline recording made no mention of the Jan. 21 date.

It was unclear how IBM discovered that the drives were missing, or whether the IT vendor was managing and monitoring Health Net's Rancho Cordova data center with on-site personnel or remotely. The company referred all questions to Health Net. IBM in 2008 won a five-year contract valued at more than $300 million to manage Health Net's entire IT infrastructure. In announcing the deal, IBM said it would "provide full IT infrastructure management services including: data center services, IT security management, help desk, and desk side support. AT&T, an IBM partner, will provide network, voice, and data management services."

Health Net has refused to disclose any details of the loss, other than a short press release it issued Monday. The company said it would provide two years of free credit monitoring services, including fraud resolution and restoration of credit files, as well as identity theft insurance, through the Debix Identity Protection Network.

State and federal laws require companies, especially healthcare companies, to notify potential victims of data loss and identify theft. Health Net's statement suggested that the drives may have been misplaced, not stolen. A spokesman called them "unaccounted-for server drives." The company said it was continuing to investigate, and "out of an abundance of caution" it decided to notify "the individuals whose information is on the drives."

Health Net spokesman Brad Kieffer declined Wednesday to answer questions about the missing drives, referring a reporter to the company statement. "The information that's in our press release, that's the information that we are making available," Kieffer said.

He declined to say how many people may be affected by the loss of the drives, but California's Department of Managed Health Care put the number at 1.9 million. That department is investigating Health Net's security practices.

10 Massive Security Breaches

10 Massive Security Breaches


(click image for larger view)
Slideshow: 10 Massive Security Breaches

On Monday, Connecticut attorney general George Jepsen issued a statement asking Health Net to provide identity theft and credit protections for nearly 25,000 Connecticut residents whose medical data and personal information may have been compromised in a nationwide data breach in early February.

The Connecticut AG's office said Health Net acknowledged that nine unaccounted-for server drives in its Rancho Cordova, Calif. operations contained protected health information and personal information for 24,599 Connecticut residents, including 18,279 Medicare subscribers, 700 Medicaid subscribers, and 5,620 commercial subscribers.

"Health insurance companies have access to very sensitive and personal information. They have a duty to protect that information from unlawful disclosure," Jepsen said in a statement. "I am asking the company to provide credit monitoring services for two years, identity theft insurance, and security freeze reimbursements for the customers affected."

In a letter to the company's attorneys, Jepsen also requested detailed information about the status of the data breach, what steps the company has taken to protect affected individuals, and what procedures have been adopted to prevent other breaches of this kind.

On Tuesday, California's insurance commissioner, Dave Jones, announced that he will conduct an independent investigation into whether the company did everything it could to avoid and appropriately remedy the security breakdown.

Jones, who is also requesting that Health Net furnish his agency with the findings of its investigation into the recent privacy breach, said in a statement that identity theft crimes are on the rise, and "it is more important than ever to act immediately and comprehensively in addressing a privacy breach."

Under the federal Health Information Technology for Economic and Clinical Health (HITECH) Act, health-related organizations, such as hospitals and health insurance companies, are required to provide notice to individuals adversely affected by breaches of unsecured protected health information.

Health Net delivers managed healthcare services through health plans and government-sponsored managed care plans. The company provides health benefits to approximately 6 million individuals across the country through health insurance plans that include group, individual, Medicare, and Medicaid programs.

This is the second time that Health Net has suffered a data security breach. In July, Connecticut reached a settlement with Health Net of the Northeast over a computer disk drive lost in May 2009 that contained protected health and other private information on more than 500,000 Connecticut citizens and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, Social Security numbers, protected health information, and financial information.

The agreement, which also involved Health Net of Connecticut and parent companies UnitedHealth Group and Oxford Health Plans, resolved allegations that Health Net violated the Health Insurance Portability and Accountability Act (HIPAA), which state attorneys general are authorized to enforce, as well as state privacy protections. It resulted in a $250,000 payment to the state.

About the Author

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights