Health Net, a provider of managed health care services, yesterday said that it's alerting some 1.9 million customers that nine server drives containing personal and health data were recently discovered to be missing from a data center in Rancho Cordova, Calif.
The data center is managed for Health Net by IBM, which notified the insurer about the missing drives, Health Net said in a statement.
An initial probe has found that the missing drives contained names, addresses, Social Security numbers, financial information and health data of current and former Health Net members, employees and health care providers, the statement said.
Health Net said it will offer two years of free credit monitoring services to the affected individuals.
In its statement, Health Net didn't disclose the number of people affected by the breach or the number of drives that went missing. That information was contained in a separate alert, also issued Monday, from the California Department of Managed Health Care (DHMC).
The DHMC alert said the breach affects nearly 845,000 Health Net customers in California. The DHMC said it's also investigating the breach.
In a similar alert in Connecticut, Connecticut Attorney General George Jepsen said the Health Net breach affected nearly 25,000 residents in that state. According to an alert issued Monday by Jepsen's office, the drives were likely discovered missing in early February.
Health Net did not respond to a call seeking comment on the California and Connecticut alerts.
Less than 18 months ago, in November 2009, Health Net had disclosed that a server hard drive containing seven years of personal financial and medical information had gone missing. At the time, Health Net was criticized for waiting six months to publicly disclose the breach.
The latest Health Net breach disclosure comes amid signs that the U.S. Department of Health and Human Services (HHS) is boosting its efforts to enforce federal HIPAA security and privacy regulations.
For instance, HHS in February imposed a civil penalty of $4.3 million on Cignet Health for not giving 41 patients access to their medical records when they asked for it, as required under HIPAA rules. The action marked the first time that HHS had imposed such a fine over a privacy violation.
In a separate enforcement action, also in February, HHS announced that Massachusetts General Hospital agreed to pay $1 million to settle potential HIPAA privacy violations. That action stemmed from a 2009 incident in which documents containing personal, financial and medical information belonging to 192 individuals were inadvertently left on a subway car by an employee.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.