Health Net Breach Exposes 1.9 Million Records

National health insurer Health Net started informing customers this week of a data breach in January that exposed as many as 1.9 million customer records. The breach came after its IT vendor IBM misplaced nine server drives following a move to a new data center.

"This investigation follows notification by IBM, Health Net's vendor responsible for managing Health Net's IT infrastructure, that it could not locate several server drives," Health Net said in a statement it posted on its website on Monday. "After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information."

This was Health Net's second major breach in two years involving lost drives: Health Net of Connecticut agreed to pay $375,000 in penalties after losing a disk drive in 2009 that exposed the personal information of about 1.5 million Health Net customers, including 500,000 Connecticut members.

Meanwhile, California's Department of Managed Health Care is now planning to investigate Health Net's security practices in the wake of the latest breach.

According to the most recent Ponemon Institute figures, the average data breach costs healthcare organizations $345 per records. Using those numbers, this breach could cost Health Net upward of $655 million when all is said and done. That's a little more than 5 percent of Health Net's projected $12 billion revenue for 2011.

"I don't know how much this industry is going to pay to make that mistake over and over again," says Josh Shaul, CTO of App Sec, who explains that lost media is a constant source of database losses across healthcare and other industries. "It's a joke now: 'The tape fell off the truck.' And here's the equivalent of it, and we're talking about $650 million worth of tape that fell off that truck."

According to Mel Shakir, CTO for NitroSecurity, these types of incidents are often the result of a lack of appropriate policies and procedures in place by the organization responsible for both the physical and logical protection of critical data.

"There have been so many breaches like this, whether it was hard drive or back-up tapes," Shakir says. "Every time it really comes down to policies and procedures. You cannot simply have tools and technologies -- you have to have good policies in place to be able to handle the data safely."

Not only that, but when organizations outsource data center operations, they need to ensure that the third party in charge is working by a set list of policies and procedures, experts say.

"What I think is also interesting is that the servers are managed by another company," says Geoff Webb, director of product marketing at Credant Technologies. "This is the classic dilemma for organizations. It's almost like a Shakespearean tragedy; you can almost see from the beginning how things can go bad. Health Net is now on the hook for all that has been potentially lost and the bad publicity that goes with it. And yet the operations of those systems were managed by another company doing it for them."

AppSec's Shaul says that no matter how well respected the outsourcer, organizations must plan for security and breach prevention within their outsourced contracts.

"You have to make sure you put the rules and process in place to make sure it happens," he says. "Even if you hire IBM, you still need some oversight around data security. You at least need to write into the letter of the contract that the provider is going to take very specific steps and follow documents and processes to protect your information.

"Something so simple as not encrypting the data on the media that is being shipped to one data center or another or being decommissioned makes a difference. That data should have been encrypted or it should have been wiped and that should have happened long before those drives were pulled from the servers," he says.

IBM had not yet responded to press inquiries about the breach as of this posting.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.