Health Net Faces Another InvestigationCalif. Insurance Dept. to Investigate Breach Incident
The California Department of Insurance will conduct an investigation into whether Health Net "did everything it could have done to avoid and appropriately remedy this security breakdown," said Dave Jones, insurance commissioner.
"With identity theft crimes on the rise, it is more important than ever to act immediately and comprehensively in addressing a privacy breach," Jones said. "Although Health Net has agreed to provide us with the findings of its internal investigation, I intend to conduct a follow-up investigation of the breach."
On Monday, the California Department of Managed Healthcare also announced it's conducting an investigation.
Breach Stems From Missing DrivesThe breach was the result of server drives missing from a California data center managed by IBM. In a hotline recording for those affected, Health Net said IBM notified the company January 21 that the drives were missing.
If the total number of individuals affected holds up, the incident will be the largest reported so far under the HITECH Act breach notification rule, which went into effect in September 2009.
Although Health Net declined to confirm the number of individuals affected or the number of drives involved, the California Department of Managed Healthcare said information on 1.9 million individuals nationwide was on nine missing server drives. The department said those affected included more than 622,000 enrollees in Health Net products regulated by the department, more than 223,000 enrolled in California Department of Insurance products and others enrolled in Medicare.
On Wednesday, the Washington state attorney's general office said that nearly 40,000 residents may have been affected by the breach. The Connecticut attorney general said Monday that information on nearly 25,000 residents of that state may have been affected, and that office is conducting an investigation of the breach incident.
Second Breach IncidentThe January incident marks the second time Health Net has reported a major health information breach stemming from a missing drive.
In the wake of a similar Health Net incident in May 2009, which involved the loss of a computer disk drive that affected up to 1.5 million consumers nationwide, former Connecticut Attorney General Richard Blumenthal last July reached a settlement with the insurer. Health Net agreed to a $250,000 payment and a corrective action plan. That case marked the first time a state attorney general filed a HIPAA civil lawsuit as enabled by the HITECH Act.
Health Net also was fined by the Connecticut Insurance Department and the Vermont attorney general in connection with that 2009 incident (See: Health Net Fined Again for Breach).
In a press release, Health Net said its investigation of the latest breach incident "follows notification by IBM, Health Net's vendor responsible for managing IT infrastructure, that it could not locate several server drives" at a data center in Rancho Cordova, Calif. "After a forensics analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives," the company stated. That information may include names, addresses, health information, Social Security numbers and/or financial information.
Health Net is offering those who may have been affected "two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance."
The insurer provides health benefits to about 6 million individuals.
Breaches affecting 500 or more individuals must be reported to federal authorities and the individuals affected within 60 days under the HITECH Act breach notification rule. As of Thursday morning, the Health Net breach was not yet on the federal list of major health information breaches. New incidents are added to the list once the HHS Office for Civil Rights confirms the details.