Health Net Delays Notification of Data Breach Involving 2 Million People

Insurer Health Net waited until March 14 to disclose a data breach discovered on Jan. 21 involving the loss of nine server drives and the data of 2 million customers, employees and health care providers.

Health Net, a provider of health insurance to about 6 million people across the United States, has come under fire for reporting the loss of nine server drives at its data center in Rancho Cordova, Calif., nearly two months after it occurred.

More than 2 million Health Net members, employees and health care providers may have been affected by the data breach, including about 845,000 California policyholders, according to The San Francisco Chronicle. California regulators are investigating the breach, the newspaper reports.

The insurer found out about the security lapse on Jan. 21, when IBM, which manages the company's IT infrastructure, informed Health Net that it was unable to locate server drives, according to a recording on Health Net's data breach hotline (855-434-8081).

The health benefits provider began its investigation at that time and learned that the nine drives included personal information for former and current Health Net members, employees and health care providers. The company didn't report the breach to the public until March 14.

Health Net spokesman Brad Kieffer declined eWEEK's request for additional information on the breach but said, "We continue investigating unaccounted for server drives, and out of an abundance of caution we are notifying our members."

IBM issued the following statement to eWEEK: "IBM continues to assist Health Net with its investigation of unaccounted-for server drives."

"Given the size and type of data lost, this is a serious breach, and those affected should have been notified and protected immediately when IBM notified Health Net of the loss," Rob Enderle, principal analyst for the Enderle Group, wrote in an e-mail to eWEEK.

"While the delay was likely due to the belief that these drives were either misplaced or reused and not logged and the hope they would turn up on a maintenance rotation, the exposure to those that may have been compromised is excessive, and for an insurance company not to immediately mitigate this exposure-unforgivable," Enderle said.

Information included names, addresses, health information, Social Security numbers and/or financial information, Health Net reports. The health provider has begun notifying affected individuals of the security breach.

Health Net is offering two years of free identity protection through the Debix Identity Protection Network, including fraud resolution, identity theft insurance and restoration of credit files.

The Health Net breach could be the most serious health care data breach since 2008, when incidents affected 2.2 million people at the University of Utah and 2.1 million people at the University of Miami, according to the San Francisco Chronicle report.

In May 2009, Health Net suffered another security breach in which a portable disk drive holding the medical and financial data on 1.5 million members disappeared from its Connecticut headquarters.

Data breach penalties for Health Net could be severe, according to Enderle.

"This has issues that range from reporting requirements under Sarbanes-Oxley to reporting requirements for the SEC of a material financial exposure resulting from the potential liability," Enderle said. "Given the exposure created I would expect the penalties would be, and they should be, severe as a result."