Health Net discloses loss of data to 1.9 million customers
Insurer says server drives missing from IBM-run California data center contain personal, medical data
Computerworld - Health Net, a provider of managed health care services, yesterday said that it's alerting some 1.9 million customers that nine server drives containing personal and health data were recently discovered to be missing from a data center in Rancho Cordova, Calif.
The data center is managed for Health Net by IBM, which notified the insurer about the missing drives, Health Net said in a statement.
An initial probe has found that the missing drives contained names, addresses, Social Security numbers, financial information and health data of current and former Health Net members, employees and health care providers, the statement said.
Health Net said it will offer two years of free credit monitoring services to the affected individuals.
In its statement, Health Net didn't disclose the number of people affected by the breach or the number of drives that went missing. That information was contained in a separate alert, also issued Monday, from the California Department of Managed Health Care (DHMC).
The DHMC alert said the breach affects nearly 845,000 Health Net customers in California. The DHMC said it's also investigating the breach.
In a similar alert in Connecticut, Connecticut Attorney General George Jepsen said the Health Net breach affected nearly 25,000 residents in that state. According to an alert issued Monday by Jepsen's office, the drives were likely discovered missing in early February.
Health Net did not respond to a call seeking comment on the California and Connecticut alerts.
Less than 18 months ago, in November 2009, Health Net had disclosed that a server hard drive containing seven years of personal financial and medical information had gone missing. At the time, Health Net was criticized for waiting six months to publicly disclose the breach.
The latest Health Net breach disclosure comes amid signs that the U.S. Department of Health and Human Services (HHS) is boosting its efforts to enforce federal HIPAA security and privacy regulations.
For instance, HHS in February imposed a civil penalty of $4.3 million on Cignet Health for not giving 41 patients access to their medical records when they asked for it, as required under HIPAA rules. The action marked the first time that HHS had imposed such a fine over a privacy violation.
In a separate enforcement action, also in February, HHS announced that Massachusetts General Hospital agreed to pay $1 million to settle potential HIPAA privacy violations. That action stemmed from a 2009 incident in which documents containing personal, financial and medical information belonging to 192 individuals were inadvertently left on a subway car by an employee.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts