Health Net Slow on Breach Details

Health insurer Health Net Inc. is reporting a large breach of protected health information but isn’t giving details on the date and circumstances of the breach or how many individuals are affected.


Health insurer Health Net Inc. is reporting a large breach of protected health information but isn't giving details on the date and circumstances of the breach or how many individuals are affected. According to the California Department of Managed Healthcare, the breach affects 1.9 million individuals nationwide, HealthcareInfoSecurity reports.

The Los Angeles-based insurer has notified at least one state attorney general office, telling Connecticut officials that the breach affects at least 24,599 state residents. The new breach covering the missing server drives does not yet appear on the HHS Office for Civil Rights Web page that lists reported breaches affecting 500 or more individuals. The list presently includes 241 major breaches.

HealthNet is obligated in an agreement reached with Connecticut in July 2010--following a major breach in May 2009--to provide written notice to the Office of the Attorney General of large breaches. Health Net notified the office of the new breach by telephone on March 4. The state on March 7 sent a letter to HealthNet reminding the company of its obligation to provide written notice in a timely manner and asking for responses to 18 questions by March 31.

In a public notice issued via press release on March 14, Health Net disclosed that "several" server drives are unaccounted for from its data center in Rancho Cordova, Calif. IBM Corp. is responsible for managing Health Net's information technology infrastructure and notified Health Net of the missing drives.

The Health Net press release does not state the number of missing drives, the number of affected individuals and their states of residence, or the date the insurer learned of the missing drives. The company declined to give more information when contacted about this story.

However, Health Net told the Connecticut Attorney General office that nine server drives are unaccounted for, the discovery occurred in early February and that notification of affected Connecticut customers began on March 14.

Health Net issued its press release after Connecticut Attorney General George Jepsen publicly announced the breach on March 14.

The missing server drives included names, addresses, medical information, Social Security numbers and financial information for some or all affected individuals. Health Net is offering two years of free credit monitoring services, including fraud resolution, credit restoration and identity theft services, through the Debix Identity Protection Network.

The unusual agreement in Connecticut stems from Health Net failure to disclose a 2009 breach--which affected 1.5 million individuals in at least four states--until six months after discovery. Then-Connecticut Attorney General Richard Blumenthal responded by suing the company for 12 alleged violations of the HIPAA privacy and security rules. Following a settlement with Blumenthal that included a $250,000 fine and implementation of a state-approved corrective action plan, the Connecticut Insurance Department then fined Health Net of Connecticut $375,000 for not providing notification in a timely manner. The 2009 breach occurred before the breach notification rule mandated in the HITECH Act became effective.

For a copy of the letter that the Connecticut Attorney General office recently sent to Health Net asking for additional information on the new breach, send an e-mail to joseph.goedert@sourcemedia.com.

--Joseph Goedert

 

More for you

Loading data for hdm_tax_topic #reducing-cost...