Insurer Health Net waited until March 14 to disclose a data breach discovered on Jan. 21 involving the loss of nine server drives and the data of 2 million customers, employees and health care providers.
provider of health insurance to about 6 million people across the United
States, has come under fire for reporting
the loss of nine server drives at its data center in Rancho
Cordova, Calif., nearly two
months after it occurred.
More than 2 million Health Net members, employees and health care providers
may have been affected by the data breach, including about 845,000 California
policyholders, according to The
San Francisco Chronicle
regulators are investigating the breach, the newspaper reports.
The insurer found out about the security lapse on Jan. 21, when IBM,
which manages the company's IT infrastructure, informed Health Net that it was
unable to locate server drives, according to a recording on Health Net's data
breach hotline (855-434-8081).
The health benefits provider began its investigation at that time and
learned that the nine drives included personal information for former and
current Health Net members, employees and health care providers. The company
didn't report the breach to the public until March 14.
Health Net spokesman Brad Kieffer declined eWEEK's request for additional
information on the breach but said, "We continue investigating unaccounted
for server drives, and out of an abundance of caution we are notifying our
IBM issued the following statement to
eWEEK: "IBM continues to assist Health
Net with its investigation of unaccounted-for server drives."
"Given the size and type of data lost, this is a serious breach, and
those affected should have been notified and protected immediately when IBM
notified Health Net of the loss," Rob Enderle, principal analyst for the
Enderle Group, wrote in an e-mail to eWEEK.
"While the delay was likely due to the belief that these drives were
either misplaced or reused and not logged and the hope they would turn up on a
maintenance rotation, the exposure to those that may have been compromised is
excessive, and for an insurance company not to immediately mitigate this
exposure-unforgivable," Enderle said.
Information included names, addresses, health information, Social Security
numbers and/or financial information, Health Net reports. The health provider
has begun notifying affected individuals of the security breach.
Health Net is offering two years of free identity protection through the
Debix Identity Protection Network, including fraud resolution, identity theft
insurance and restoration of credit files.
The Health Net breach could be the most serious health care data breach
since 2008, when incidents affected 2.2 million people at the University
of Utah and 2.1 million people at
the University of Miami,
according to the San Francisco Chronicle report.
In May 2009, Health Net suffered another security breach in which a portable
disk drive holding the medical and financial data on 1.5 million members
disappeared from its Connecticut
Data breach penalties for Health Net could be severe, according to Enderle.
"This has issues that range from reporting requirements under Sarbanes-Oxley
reporting requirements for the SEC of a material financial exposure resulting
from the potential liability," Enderle said. "Given the exposure
created I would expect the penalties would be, and they should be, severe as a