Managed health care provider Health Net revealed this week that it lost the personal information of nearly two million current and past enrollees, its second massive breach in 16 months.
Health Net, a company that provides health benefits to approximately six million people nationwide, said several server hard drives recently went missing from its data center in Rancho Cordova, Calif.
The drives contained the personal information – names, addresses, health information, Social Security numbers and financial data – of former and current Health Net members, employees and health care providers, the company said in a news release Monday.
This is not the first time Health Net has experienced such an incident. In November 2009, the company revealed that it lost a hard drive containing 1.5 million customer medical records.
Health Net began investigating the most recent incident after IBM, the vendor responsible for managing Health Net's IT infrastructure, said it could not find the server drives. An IBM spokesperson could not immediately be reached for comment.
The California Department of Managed Health Care (DMHC), a watchdog agency, has launched an investigation into Health Net's security practices.
The agency on Monday said the breach involves nine servers containing the personal information of 1.9 million current and past Health Net enrollees, including more than 845,000 living in California.
Denise Schmidt, a spokeswoman for the DMHC, told SCMagazineUS.com on Tuesday that the agency will look into whether Health Net's policies and procedures follow California's Confidentiality of Medical Information Act, the state's primary law governing the use and disclosure of medical information. The health insurer could face fines if the agency finds faults.
“We could also require them to have a corrective action plan to correct those deficiencies and ensure it doesn't happen again,” she said.
In addition, Connecticut Attorney General George Jepsen issued an alert stating that the breach could affect nearly 25,000 residents in the Constitution State.
“Health insurance companies have access to very sensitive and personal information,” Jepsen said. “They have a duty to protect that information from unlawful disclosure.”
Health Net is notifying victims, a company spokesman told SCMagazineUS.com on Tuesday. Affected individuals will be offered two years of free credit monitoring and fraud protection services.
He referred all other questions to the press release and would not answer whether the missing data is encrypted.Meanwhile, just last month, the New York City Health and Hospitals Corp. (HHC) suffered a similar breach after backup tapes containing the personal information of 1.7 million individuals were stolen.