Breach at Health Net Following Address Mix-up

Health Net of California, a subsidiary of insurer Health Net Inc., is notifying approximately 6,700 members of its Health Net Medi-Cal program of a breach of their protected information.

In April and May 2013, identification cards mailed to the members--which constitute 0.6 percent Health Net’s Medi-Cal members--were mailed to former addresses of the members. Information on the cards included member name, identification number and the name of the primary care physician.

No financial or medical information or Social Security numbers were on the cards and because of that, Health Net of California does not believe there is a need to offer identification theft protection services, according to a spokesperson. Health Net has corrected a programming issue that caused the incorrect mailings and has notified pertinent state government agencies and the HHS Office for Civil Rights.

Parent company Health Net is listed on OCR’s public Web site of large breaches reported under the breach notification rule following the disappearance of at least nine server drives in January 2011. The drives contained demographic, financial and medical information, along with Social Security numbers, for some or all of 1.9 million affected members across several states. Health Net offered affected members a suite of credit, fraud and identity theft protection services for a two-year period.

Health Net in July 2010 also settled a lawsuit brought by the attorney general in Connecticut the disappearance of a hard drive from a data center with protected health information on about 1.5 million members. The breach occurred in May 2009, several months before the breach notification rule became effective in September 2009. The HITECH Act, however, gave state attorneys general authority to prosecute violations of the HIPAA privacy and security laws, and Connecticut was the first state to file and settle a suit. Under the settlement, Health Net agreed to pay $250,000 and implement a corrective action plan.