On Monday of this week, Health Net announced a data breach and the company's ongoing investigation into lost/stolen server drives from its data center in Rancho Cordova, Calif. According to the press release:
"This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information."
This is interesting for several reasons. First, the Health Net press release didn't disclose either the number of lost/stolen server drives, nor the number of consumers' records lost/stolen. That's usually a bad sign that the breach is a huge one. The California Department of Managed Health Care (DMHC) issued a statement (43k bytes; PDF document) that the Health Net breach included 1.9 million current and prior Health Net customers nationwide, including:
"... more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare."
The DMHC is rightly concerned and conducting its own investigation. The DMHC statement also said that nine (9) Health Net server drives were missing.
Second, the above Health Net press release mentioned the name of an IT outsource vendor I recognized, IBM. I have had some direct, personal experience with an IBM breach. And IBM's involvement in the Health Net breach has a twist of irony.
After its 2007 data breach, IBM never disclosed what actions it took, if any, with the outsource vendor it hired to ship its backup computer data tapes to an off-site facility. Did IBM fire its vendor, or were specific vendor's employees disciplined or terminated? We never learned what happened. Now, to use a common expression, "the shoe is on the other foot" as IBM is the vendor involved in its client's data breach.
Third, this is the second huge data breach at Health Net. In November 2009, Health Net suffered a huge data breach. That 2009 data breach included hard drives, too, where the sensitive personal data lost/stolen included the Social Security numbers, medical records and health information dating back to 2002 of 1.5 million past and current customers in several states. During the last few months, Health Net paid fines to several states to settle the 2009 breach. Several states' attorney generals alleged that the 2009 breach violated the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), and some states' local laws.
Fourth, ABC News focused its coverage on the delayed notification. Apparently, Health Net learned about the missing server drives in February, notified the California Attorney General's office on March 4, and then notified the public on March 14. The delay in notificaton was part of the rationale for the settlement fines Health Net paid as a result of its 2009 data breach.
Fifth, the Connecticut Attorney General's office has demanded that Health Net provide identity-theft and credit protectons for 25,000 Connecticut residents affected by the data breach. In its breach announcement, Health Net has hired Debix (again) to provide two years of complimentary identity-theft and credit protection for breach victims.
Sixth, the nationwide impacts of the Health Net data breach are jsut becoming known. About 40,000 consumers in Washington state have been affected. I expect more states' regulatory agencies and/or attorney generals to issue statements about the impacts in their states.
After such a huge data breach in 2009, you'd think that the executives at Health Net would "get it," implement tightened data security, and implement both new data security policies and employee training to prevent another massive data breach. Well, another massive breach happened. As a wise person once said, actions speak louder than words.
I am hoping that the consequences for Health Net executives include much more than fines. Executives need to be fired and/or jailed. What do you think? What action, if any, should Health Net take with its outsource vendor, IBM?