News Stay informed about the latest enterprise technology news and product updates.

Health Net healthcare data breach affects1.5 million

A lost hard drive contained seven years of patient data including Social Security numbers and medical records of more than a million Health Net customers.

To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Health Net, Inc. announced Wednesday that it was investigating a healthcare data security breach that resulted in the loss of seven years patient data affecting 1.5 million customers.

The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted, but was formatted as images and requires a software application to be viewed.

The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers notifying them of the breach. The company said it expects to send notification letters the week of Nov. 30.

Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took the Health Net six months to report the healthcare breach. The hard drive contained data on 446,000 Connecticut patients.

"My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long," Blumenthal said in a statement. "The company's failure to safeguard such sensitive information and inform consumers of its loss -- leaving them naked to identity theft -- may have violated state and federal laws." 

Blumenthal said the data also contained financial data, including bank account numbers. He is seeking coverage for comprehensive, long-term identity theft protection for those customers affected by the breach.

Data encryption

Column - There's no excuse to skip data encryption: Companies complain that database encryption products are too expensive and difficult to manage, but customer loss and breach notification costs outweigh encryption expenses. 

Considerations for encryption and compliance: It's often thought that a wide-ranging encryption implementation can prevent data loss and satisfy compliance mandates. Reality, of course, is more complex.

Health Net provides medical coverage for approximately 6.6 million people and its subsidiaries operate in all 50 states. In a statement, the company said the breach took place in its Connecticut office. So far there have not been any reports of fraud tied to the missing data, the company said.

"Health Net will provide credit monitoring for over two years - free of charge - to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service," the company said.

It is the second time in a month that a healthcare provider lost customer data. Anthem Blue Cross and Blue Shield of Connecticut reported a stolen laptop was to blame for a breach compromising the personal information of 850,000 doctors, therapists and other healthcare professionals. 

Security experts have long been advocating that enterprises deploy encryption on laptops and other devices that contain sensitive data. Still, all the technology in the world won't end employee mistakes and carelessness, said Mike Rothman an analyst with Security Incite.

"You can do full disk encryption and all sorts of things to protect the device, but you are still fairly constrained by user sophistication," Rothman said. "You have to start asking questions from a process standpoint relative to why this stuff was on an external drive in the first place."

In reality you could turn off all USB ports on your devices, but that could hinder employee productivity, Rothman said. Security always gets back to making sure you have the right processes and policies in place and the right training and awareness so that employees understand what those policies are and then ways to audit those processes, he said.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The Healthcare Insurance Exchanges (HIEs), which are slated to add seven million people into the healthcare system, and it becomes clear that the industry, from local physicians to large hospital networks, provide an expanded attack surface for breaches." The attack surface of a system refers to the parts that pose the greatest opportunity for attack or error.
I still am shocked at how careless some companies are with data. If it's portable it should be encrypted at least. I go back to an issue a few years back where my bank lost it's back up tapes? They too were not encrypted. With all the health care privacy laws nowadays things like this should be so secure it would take an army to access.