Health Net data breach affects 450,000 people
Health insurance provider Health Net reported a loss of a portable disk drive (which occurred six months ago). The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons.
Connecticut Attorney General Richard Blumenthal was "outraged" the company waited this long to go public about this major data breach:
Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information <...> Personal information is like cash and should be guarded with equal care. Casual and cavalier attitudes toward data protection and breaches are intolerable and must stop.
This case provides yet another reminder about the importance of encrypting the sensitive and protected data, including PHI, in your possession.
According to NBC Connecticut:
Blumenthal is investigating and demanding that Health Net provide consumers with at least two years of identity theft protection, identity theft insurance, reimbursement for credit freezes and credit monitoring for at least two years for all 446,000 consumers.
The state Insurance Department is also investigating and looking for information, including what led to the disc drive disappearing, what information is missing, HealthNet’s security procedures and changes they plan.
In a statement, Health Net apologized for any "inconvenience or concern" this breach may cause. The company will provide credit monitoring for 2 years. Health Net did not receive any reports of misuse of lost data.
"Health Net Loses Information for 450,000 Clients," NBC Connecticut (November 19, 2008).
