Online Personal Finance Web Sites: a "Perception of Security?"
Anybody Can Buy And Operate an ATM Machine

Health Net Breach Exposes 1.5 Million Consumers' Medical Records

This week, the Hartford Courant newspaper reported that an external hard drive at Health Net:

"... with seven years of personal and medical information on about 1.5 million Health Net customers, including 446,000 in Connecticut... The insurance company informed the state attorney general's office and the Department of Insurance Wednesday of the security breach that puts personal medical records at risk in a historic lapse, the first of its kind to be publicly reported... The hard drive contains Social Security numbers, medical records and health information dating to 2002 for 1.5 million customers — past and present — in Arizona, Connecticut, New Jersey, and New York..."

The State of Connecticut's Insurance Commissioner has required Health Net to provide its breach victims with credit monitoring service. Reportedly, breach victims will receive two years of free credit monitoring via the Debix service. Debix has not responded yet to inquiries about its services for Health Net.

While I don't write about every data breach in this blog, I do cover breaches that have a huge implications. And this breach definitely qualifies. Why?

  • The sensitive PHI data exposed (e.g., lost, stolen, or both) really facilitates medical identity fraud
  • Two years of free credit monitoring service is a great start for breach victims, but fraudsters don't magically stop their criminal activities after two years
  • It is unforgivable that Health net waited 6 months before informing state officials and consumers
  • This breach highlights the problem with employees regularly storing large amounts of sensitive consumer information on laptop computers
  • A breach like this makes one wonder what training, if any, Health net mandates and provides for its employees
  • None of the company's communications so far discuss its investigation into the breach and if a vendor or contractor was involved
  • The Health Net site does not contain any press releases about the breach or about the insurance company's breach response and assistance for its breach victims
  • Standard breach responses include the formation of a breach site to answer breach victims' questions, and to report on a status of the investigation. If there is a breach site, it hasn't been disclosed.

When I read about a breach incident like this, I get the clear impression that the company really didn't want to disclsoe anything about its data breach, and wouldn't have disclosed anything if it wasn't required to by law. That is not the actions of a trustworthy company acting with integrity.


Feed You can follow this conversation by subscribing to the comment feed for this post.


yeah, we just got our notification and that would be one month later. so, the cynic i am asks, what might be the secret business connections between Health Net and and Debix? i'd love to have any relevent info on that...........

Christopher L. Simpson

You yellow-journalism shysters. You use an ellipsis to omit the fact that the hard-drive is merely missing. Nobody knows whether it has been stolen or not. Rather than include the facts honestly you cover them with an ellipsis to make the whole story elicit more fear and panic, to make people believe that it is known FOR SURE that the hard- drive was stolen and not merely lost. I congratulate you on your strategy for roping in readership who love to recoil in morbid fear.

The comment poasted above is classic paranoia. OF COURSE there is a business-connection between Health-Net and Debix: Health-Net is paying big money to Debix to cover victims for two years at no cost to the victim. Why is it doing this? To minimize its own future liability-exposure if (a) this missing hard-drive ever produces material consequences and (b) the hard-drive's absence is successfully argued to be the result of Health-Net's culpable/ liable conduct. Duh. Health-Net is paying Debix for something that makes Health-Net better off. And THAT qualifies as a big secret conspiracy? When you induce your mechanic to repair your car by offering a sum of money for doing so is that a morally corrupting transaction because each of you greedy connivers is better off than if you gave all of your money away to people who prefer to be whining flinching "victims" of problems rather than solvers of problems?

Identity Theft Labs

Heath Net did state that a forensic investigation was done to determine what information was exposed and that the lost drive contained images or scans of paper documents not data. Your right no contractor/vendor was disclosed.

In addition to the breached information mentioned (medical, SSN, addresses etc) they also reported that some financial information for some members was exposed. No number or percentage was released.

The deal with Debix gives members 2 yrs of their service plus Debix will restore the identity, at no charge, of any exposed member who experienced an identity theft between May 14, 2009 and the date of their notification letter.

Hope this helps others searching for this info.

For those interested, here is our (Identity Theft Labs) review of the Debix service. or you can simply access it through the link in my signature.


Great but I hope even better though!


I just got my letter a few days ago..When did all of this happen?


If this happened way back in 2009 why am I just now getting the letter concerning debix? It is dated 7/27/2011



Your note did not state what state you live in. That is important because 46 of 50 states have laws requiring notification after a data breach. If you live in a state that doesn't require notification, then that might explain things.

Assuming you live in a state that has laws requiring consumer notification after a data breach, there are several possible reasons for a delay. While incompetence is always a possibility, they may have had trouble finding you if you have moved since you were a patient.

Some states' breach notification laws are flexible (e.g., the number of affected consumers is small), in that they allow the company to post notices or ads in newspapers rather than to send a breach notification letter to each person's home via surface mail.

Typically after a data breach, companies hire private investigators to track down people they can't find -- who have moved their residence, once or several times. I learned about this when experiencing the consequences of IBM's data breach in 2007.

I do not know the specifics of the delay in your personal notification. Regardless, 2 years to notify you seems absurdly long. Get an attorney to help you assess your rights. Or contact the attorney general office or consumer protection agency in the state where you live. Typically, both offices provide very helpful information online.

Good luck and let us know what happens.



I'm in the same situation as Diane - my letter is also dated 07/27/2011 - and I lived at the same address for more than 15 years.


I just got off the phone with Debix and was informed that there was a security breach in 2009 AND 2011! I'm so angry with Health Net...what a bunch of losers.

The comments to this entry are closed.