Health Net Data Breach Involves 1.9 Million Records

Tuesday, March 15, 2011



The California Department of Managed Health Care (DMHC) has opened an investigation into the the security practices of managed health care services provider Health Net after the company revealed another massive data loss event.

Health Net reported that the company can not locate nine network server drives from the Rancho Cordova data center that contain as many as 1.9 million current and former customer records.

A Health Net Press Release states:

"After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information."

"While the investigation continues, Health Net has made the decision out of an abundance of caution to notify the individuals whose information is on the drives."

"To help protect the personal information of affected individuals, Health Net is offering them two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance. These services will be provided through the Debix Identity Protection Network."

Health Net suffered a similar loss of an unencrypted portable hard drive in May of 2009 that contained the information of about 1.5 million customers. Just last month, the Connecticut Attorney General's office filed a complaint and proposed settlement in that case.

Health Net had taken as long as six months to notify customers whose data was involved in that incident, violating the Security Breach Notice Act.

The breach also violated provisions outlined by HIPAA for protecting healthcare related information, as well as the Consumer Fraud Act in relation to the delayed notification and understatement of risk to the affected customers.

Possibly Related Articles:
Data Loss HIPAA HITECH Healthcare Headlines breach Health Net
Post Rating I Like this!
Katie Weaver-Johnson Lessons appears that Health Net did learn one lesson from their 2009 breach and HIPAA violation, as they have decided to notify the individuals whose information may (or may not) be on the lost drives.

However, I did read an article just yesterday that pointed out an unfortunate trend: The faster a company responded to a breach, the higher the costs (

So, what steps should an organization take? I think the main lesson learned should be PREVENTION. By educating employees and third-parties and increasing awareness and accountability, hopefully an organization never needs to decide the appropriate time to notify their customers...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.