HealthNet, a California-based insurer, suffered another major data breach last month. Modern Healthcare reports that HealthNet lost data of almost two million employees, members and healthcare providers, including their medical information, Social Security numbers and other sensitive information. The loss was reportedly caused by a missing server drive from HealthNet's Rancho Cordova, CA data center. According to the insurance company's press release, HealthNet's IT vendor, IBM, notified HealthNet that it could not locate the drives.
As we noted previously, HealthNet suffered another major data breach in 2009, when the company lost a portable hard drive containing sensitive and protected information on 1.5 million people. As a result of that breach, HealthNet was sued by then-Connecticut Attorney General Richard Blumenthal, in a first such action under HIPAA, as modified by the HITECH Act. HealthNet and Connecticut settled this suit in 2010 for $250,000 fine, a $500,000 contingency fund and a corrective action plan aimed at enhancing the security of the data in HealthNet's possession.
In light of HHS stepping up enforcement of HIPAA and HIPAA Privacy and Security Rules, HealthNet will become a likely target of both federal and state investigations; and if such investigations reveal negligence or failure to implement or comply with their own corrective action plan referenced above, the fines could be much more severe than the $250,000 number from the Connecticut settlement in 2010.
This should also serve as a reminder about the importance of requiring IT vendors to indemnify healthcare providers against such losses. If HealthNet's investigation concludes that IBM and/or its personnel were responsible for this loss, the parties will likely look to their existing contracts and BAA to determine whether IBM will reimburse HealthNet for its costs in relation to this breach.
Via Modern Healthcare:
Woodland Hills, Calif.-based health insurer Health Net announced Monday that it had lost servers containing personal health information and demographic data for nearly 2 million current and past patients.
The breach, which affects approximately 1.9 million people nationwide, occurred in February. Health Net said it cannot account for server drives missing from a data center in Rancho Cordova, Calif. Those drives contain patients' names, Social Security numbers and sensitive health information. It's not the first time Health Net enrollees have experienced a breach. In 2009, 1.5 million people were affected when a portable hard drive containing patient data went missing.
According to the California Department of Managed Health Care, the breach will affect as many as 845,000 of the state's residents. In a news release, Connecticut Attorney General George Jepsen urged the insurer to provide adequate identity protections for the 25,000 state residents whose data has been compromised.
"Health insurance companies have access to very sensitive and personal information," Jepsen said in the release. “They have a duty to protect that information from unlawful disclosure.”
[In a press release,] Health Net said it would offer two years of credit monitoring and identity protection to affected customers. The insurer also has set up a hotline.