Health Net breach prompts investigation, affects 1.9M

Share this article:

Managed health care provider Health Net revealed this week that it lost the personal information of nearly two million current and past enrollees, its second massive breach in 16 months.

Health Net, a company that provides health benefits to approximately six million people nationwide, said several server hard drives recently went missing from its data center in Rancho Cordova, Calif.

The drives contained the personal information – names, addresses, health information, Social Security numbers and financial data – of former and current Health Net members, employees and health care providers, the company said in a news release Monday.

This is not the first time Health Net has experienced such an incident. In November 2009, the company revealed that it lost a hard drive containing 1.5 million customer medical records.

Health Net began investigating the most recent incident after IBM, the vendor responsible for managing Health Net's IT infrastructure, said it could not find the server drives. An IBM spokesperson could not immediately be reached for comment.

The California Department of Managed Health Care (DMHC), a watchdog agency, has launched an investigation into Health Net's security practices.

The agency on Monday said the breach involves nine servers containing the personal information of 1.9 million current and past Health Net enrollees, including more than 845,000 living in California.

Denise Schmidt, a spokeswoman for the DMHC, told SCMagazineUS.com on Tuesday that the agency will look into whether Health Net's policies and procedures follow California's Confidentiality of Medical Information Act, the state's primary law governing the use and disclosure of medical information. The health insurer could face fines if the agency finds faults.

“We could also require them to have a corrective action plan to correct those deficiencies and ensure it doesn't happen again,” she said.

In addition, Connecticut Attorney General George Jepsen issued an alert stating that the breach could affect nearly 25,000 residents in the Constitution State.

“Health insurance companies have access to very sensitive and personal information,” Jepsen said. “They have a duty to protect that information from unlawful disclosure.”

Health Net is notifying victims, a company spokesman told SCMagazineUS.com on Tuesday. Affected individuals will be offered two years of free credit monitoring and fraud protection services.

He referred all other questions to the press release and would not answer whether the missing data is encrypted.

Meanwhile, just last month, the New York City Health and Hospitals Corp. (HHC) suffered a similar breach after backup tapes containing the personal information of 1.7 million individuals were stolen. 
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.