This week, the Hartford Courant newspaper reported that an external hard drive at Health Net:
"... with seven years of personal and medical information on about 1.5 million Health Net customers, including 446,000 in Connecticut... The insurance company informed the state attorney general's office and the Department of Insurance Wednesday of the security breach that puts personal medical records at risk in a historic lapse, the first of its kind to be publicly reported... The hard drive contains Social Security numbers, medical records and health information dating to 2002 for 1.5 million customers — past and present — in Arizona, Connecticut, New Jersey, and New York..."
The State of Connecticut's Insurance Commissioner has required Health Net to provide its breach victims with credit monitoring service. Reportedly, breach victims will receive two years of free credit monitoring via the Debix service. Debix has not responded yet to inquiries about its services for Health Net.
While I don't write about every data breach in this blog, I do cover breaches that have a huge implications. And this breach definitely qualifies. Why?
- The sensitive PHI data exposed (e.g., lost, stolen, or both) really facilitates medical identity fraud
- Two years of free credit monitoring service is a great start for breach victims, but fraudsters don't magically stop their criminal activities after two years
- It is unforgivable that Health net waited 6 months before informing state officials and consumers
- This breach highlights the problem with employees regularly storing large amounts of sensitive consumer information on laptop computers
- A breach like this makes one wonder what training, if any, Health net mandates and provides for its employees
- None of the company's communications so far discuss its investigation into the breach and if a vendor or contractor was involved
- The Health Net site does not contain any press releases about the breach or about the insurance company's breach response and assistance for its breach victims
- Standard breach responses include the formation of a breach site to answer breach victims' questions, and to report on a status of the investigation. If there is a breach site, it hasn't been disclosed.
When I read about a breach incident like this, I get the clear impression that the company really didn't want to disclsoe anything about its data breach, and wouldn't have disclosed anything if it wasn't required to by law. That is not the actions of a trustworthy company acting with integrity.