Health Net Criticized For Data Loss Notification Delay

Nine computer drives containing personal data on nearly 2 million customers, employees, and healthcare providers apparently went missing Jan. 21, but the managed care organization didn't reveal the loss until March 14.
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
On Monday, Connecticut attorney general George Jepsen issued a statement asking Health Net to provide identity theft and credit protections for nearly 25,000 Connecticut residents whose medical data and personal information may have been compromised in a nationwide data breach in early February.

The Connecticut AG's office said Health Net acknowledged that nine unaccounted-for server drives in its Rancho Cordova, Calif. operations contained protected health information and personal information for 24,599 Connecticut residents, including 18,279 Medicare subscribers, 700 Medicaid subscribers, and 5,620 commercial subscribers.

"Health insurance companies have access to very sensitive and personal information. They have a duty to protect that information from unlawful disclosure," Jepsen said in a statement. "I am asking the company to provide credit monitoring services for two years, identity theft insurance, and security freeze reimbursements for the customers affected."

In a letter to the company's attorneys, Jepsen also requested detailed information about the status of the data breach, what steps the company has taken to protect affected individuals, and what procedures have been adopted to prevent other breaches of this kind.

On Tuesday, California's insurance commissioner, Dave Jones, announced that he will conduct an independent investigation into whether the company did everything it could to avoid and appropriately remedy the security breakdown.

Jones, who is also requesting that Health Net furnish his agency with the findings of its investigation into the recent privacy breach, said in a statement that identity theft crimes are on the rise, and "it is more important than ever to act immediately and comprehensively in addressing a privacy breach."

Under the federal Health Information Technology for Economic and Clinical Health (HITECH) Act, health-related organizations, such as hospitals and health insurance companies, are required to provide notice to individuals adversely affected by breaches of unsecured protected health information.

Health Net delivers managed healthcare services through health plans and government-sponsored managed care plans. The company provides health benefits to approximately 6 million individuals across the country through health insurance plans that include group, individual, Medicare, and Medicaid programs.

This is the second time that Health Net has suffered a data security breach. In July, Connecticut reached a settlement with Health Net of the Northeast over a computer disk drive lost in May 2009 that contained protected health and other private information on more than 500,000 Connecticut citizens and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, Social Security numbers, protected health information, and financial information.

The agreement, which also involved Health Net of Connecticut and parent companies UnitedHealth Group and Oxford Health Plans, resolved allegations that Health Net violated the Health Insurance Portability and Accountability Act (HIPAA), which state attorneys general are authorized to enforce, as well as state privacy protections. It resulted in a $250,000 payment to the state.