Health Net Breach Exposes 1.5 Million Consumers' Medical Records
Thursday, November 19, 2009
This week, the Hartford Courant newspaper reported that an external hard drive at Health Net:
"... with seven years of personal and medical information on about 1.5 million Health Net customers, including 446,000 in Connecticut... The insurance company informed the state attorney general's office and the Department of Insurance Wednesday of the security breach that puts personal medical records at risk in a historic lapse, the first of its kind to be publicly reported... The hard drive contains Social Security numbers, medical records and health information dating to 2002 for 1.5 million customers — past and present — in Arizona, Connecticut, New Jersey, and New York..."
The State of Connecticut's Insurance Commissioner has required Health Net to provide its breach victims with credit monitoring service. Reportedly, breach victims will receive two years of free credit monitoring via the Debix service. Debix has not responded yet to inquiries about its services for Health Net.
While I don't write about every data breach in this blog, I do cover breaches that have a huge implications. And this breach definitely qualifies. Why?
- The sensitive PHI data exposed (e.g., lost, stolen, or both) really facilitates medical identity fraud
- Two years of free credit monitoring service is a great start for breach victims, but fraudsters don't magically stop their criminal activities after two years
- It is unforgivable that Health net waited 6 months before informing state officials and consumers
- This breach highlights the problem with employees regularly storing large amounts of sensitive consumer information on laptop computers
- A breach like this makes one wonder what training, if any, Health net mandates and provides for its employees
- None of the company's communications so far discuss its investigation into the breach and if a vendor or contractor was involved
- The Health Net site does not contain any press releases about the breach or about the insurance company's breach response and assistance for its breach victims
- Standard breach responses include the formation of a breach site to answer breach victims' questions, and to report on a status of the investigation. If there is a breach site, it hasn't been disclosed.
When I read about a breach incident like this, I get the clear impression that the company really didn't want to disclsoe anything about its data breach, and wouldn't have disclosed anything if it wasn't required to by law. That is not the actions of a trustworthy company acting with integrity.
yeah, we just got our notification and that would be one month later. so, the cynic i am asks, what might be the secret business connections between Health Net and and Debix? i'd love to have any relevent info on that...........
Posted by: frea | Wednesday, December 16, 2009 at 07:43 PM
You yellow-journalism shysters. You use an ellipsis to omit the fact that the hard-drive is merely missing. Nobody knows whether it has been stolen or not. Rather than include the facts honestly you cover them with an ellipsis to make the whole story elicit more fear and panic, to make people believe that it is known FOR SURE that the hard- drive was stolen and not merely lost. I congratulate you on your strategy for roping in readership who love to recoil in morbid fear.
The comment poasted above is classic paranoia. OF COURSE there is a business-connection between Health-Net and Debix: Health-Net is paying big money to Debix to cover victims for two years at no cost to the victim. Why is it doing this? To minimize its own future liability-exposure if (a) this missing hard-drive ever produces material consequences and (b) the hard-drive's absence is successfully argued to be the result of Health-Net's culpable/ liable conduct. Duh. Health-Net is paying Debix for something that makes Health-Net better off. And THAT qualifies as a big secret conspiracy? When you induce your mechanic to repair your car by offering a sum of money for doing so is that a morally corrupting transaction because each of you greedy connivers is better off than if you gave all of your money away to people who prefer to be whining flinching "victims" of problems rather than solvers of problems?
Posted by: Christopher L. Simpson | Saturday, January 09, 2010 at 10:33 PM
Heath Net did state that a forensic investigation was done to determine what information was exposed and that the lost drive contained images or scans of paper documents not data. Your right no contractor/vendor was disclosed.
In addition to the breached information mentioned (medical, SSN, addresses etc) they also reported that some financial information for some members was exposed. No number or percentage was released.
The deal with Debix gives members 2 yrs of their service plus Debix will restore the identity, at no charge, of any exposed member who experienced an identity theft between May 14, 2009 and the date of their notification letter.
Hope this helps others searching for this info.
For those interested, here is our (Identity Theft Labs) review of the Debix service.
http://www.identitytheftlabs.com/loudsiren-review/ or you can simply access it through the link in my signature.
Posted by: Identity Theft Labs | Friday, January 15, 2010 at 02:32 PM
Great but I hope even better though!
Posted by: Nick | Wednesday, March 17, 2010 at 11:55 AM
I just got my letter a few days ago..When did all of this happen?
Posted by: Kayka44 | Tuesday, April 05, 2011 at 05:29 PM
If this happened way back in 2009 why am I just now getting the letter concerning debix? It is dated 7/27/2011
Posted by: Diane | Monday, August 01, 2011 at 11:55 AM
Diane:
Your note did not state what state you live in. That is important because 46 of 50 states have laws requiring notification after a data breach. If you live in a state that doesn't require notification, then that might explain things.
Assuming you live in a state that has laws requiring consumer notification after a data breach, there are several possible reasons for a delay. While incompetence is always a possibility, they may have had trouble finding you if you have moved since you were a patient.
Some states' breach notification laws are flexible (e.g., the number of affected consumers is small), in that they allow the company to post notices or ads in newspapers rather than to send a breach notification letter to each person's home via surface mail.
Typically after a data breach, companies hire private investigators to track down people they can't find -- who have moved their residence, once or several times. I learned about this when experiencing the consequences of IBM's data breach in 2007.
I do not know the specifics of the delay in your personal notification. Regardless, 2 years to notify you seems absurdly long. Get an attorney to help you assess your rights. Or contact the attorney general office or consumer protection agency in the state where you live. Typically, both offices provide very helpful information online.
Good luck and let us know what happens.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Monday, August 01, 2011 at 01:52 PM
I'm in the same situation as Diane - my letter is also dated 07/27/2011 - and I lived at the same address for more than 15 years.
Posted by: Ruta | Monday, August 15, 2011 at 04:32 PM
I just got off the phone with Debix and was informed that there was a security breach in 2009 AND 2011! I'm so angry with Health Net...what a bunch of losers.
Posted by: tara | Thursday, January 12, 2012 at 05:32 PM