The Los Angeles Times (3/14) "Money & Company" blog reported that the California Department of Managed Health Care has "opened an investigation into the security practices of insurer Health Net Inc. after the Woodland Hills company revealed the loss of computerized records containing personal information related to about 1.9 million people." Although Health Net would not indicate how many computer drives were missing, the company said in a
statement that it is launching its own investigation and notifying the affected members "out of an abundance of caution."
The state regulatory agency "estimates records for more than 622,000 members in health plans regulated by the Dept. of Managed Health Care may have been compromised, as well as records for 223,000 members in products regulated by the Department of Insurance," the Sacramento Business Journal (3/15, Robertson) reports. Records for some Medicare beneficiaries also may have been lost.
According to the San Diego Union-Tribune (3/15, Lavelle), Health Net claims that the missing information "may include names, addresses, Social Security numbers, health information, and financial information." However, company spokesman Brad Kiefer "declined to release any information beyond the short news release, including when the breach was discovered, or how it may have happened." Beth Givens, director of the San Diego-based nonprofit Security Rights Clearinghouse, said that the loss was "among the top 20 security breaches (nationwide) since 2005," and called it "astounding" that the missing server was still unaccounted for.
The Hartford Courant (3/14, Sturdevant) "Insurance Capital" blog reported that Connecticut Attorney General George Jepsen "is asking Health Net for identity-theft and credit protections for Connecticut residents" whose information may have been put at risk. "(Health insurance companies) have a duty to protect that information from unlawful disclosure. I am asking the company to provide credit monitoring services for two years, identity theft insurance and security freeze reimbursements for the customers affected," he said.
The Sacramento Bee (3/15, Glover) reports, "Health Net said it is notifying the individuals whose information is on the drives," and "is offering affected individuals two years of free credit-monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance." The services would be provided through Debix Identity Protection Network.
The AP (3/15) reports that the incident is not the first data breach to affect Health Net customers. Back in January, "the company agreed to pay $55,000 to settle a similar case with the Vermont attorney general's office" following "the loss of a portable, unencrypted hard drive that contained protected health information, Social Security numbers and financial information for about 1.5 million people." The insurer "discovered the drive was missing on May 14, 2009, but did not start notifying affected Vermont residents until more than six months later."