HealthNet breach affects 1.9 million individuals

Posted on March 15, 2011 by Steve Fox and Vadim Schick

HealthNet, a California-based insurer, suffered another major data breach last month. Modern Healthcare reports that HealthNet lost data of almost two million employees, members and healthcare providers, including their medical information, Social Security numbers and other sensitive information. The loss was reportedly caused by a missing server drive from HealthNet's Rancho Cordova, CA data center.  According to the insurance company's press release, HealthNet's IT vendor, IBM, notified HealthNet that it could not locate the drives.

As we noted previously, HealthNet suffered another major data breach in 2009, when the company lost a portable hard drive containing sensitive and protected information on 1.5 million people.  As a result of that breach, HealthNet was sued by then-Connecticut Attorney General Richard Blumenthal, in a first such action under HIPAA, as modified by the HITECH Act.  HealthNet and Connecticut settled this suit in 2010 for $250,000 fine, a $500,000 contingency fund and a corrective action plan aimed at enhancing the security of the data in HealthNet's possession.

In light of HHS stepping up enforcement of HIPAA and HIPAA Privacy and Security Rules, HealthNet will become a likely target of both federal and state investigations; and if such investigations reveal negligence or failure to implement or comply with their own corrective action plan referenced above, the fines could be much more severe than the $250,000 number from the Connecticut settlement in 2010.

This should also serve as a reminder about the importance of requiring IT vendors to indemnify healthcare providers against such losses. If HealthNet's investigation concludes that IBM and/or its personnel were responsible for this loss, the parties will likely look to their existing contracts and BAA to determine whether IBM will reimburse HealthNet for its costs in relation to this breach.

 Via Modern Healthcare:

Woodland Hills, Calif.-based health insurer Health Net announced Monday that it had lost servers containing personal health information and demographic data for nearly 2 million current and past patients.

The breach, which affects approximately 1.9 million people nationwide, occurred in February. Health Net said it cannot account for server drives missing from a data center in Rancho Cordova, Calif. Those drives contain patients' names, Social Security numbers and sensitive health information. It's not the first time Health Net enrollees have experienced a breach. In 2009, 1.5 million people were affected when a portable hard drive containing patient data went missing.

According to the California Department of Managed Health Care, the breach will affect as many as 845,000 of the state's residents. In a news release, Connecticut Attorney General George Jepsen urged the insurer to provide adequate identity protections for the 25,000 state residents whose data has been compromised.

"Health insurance companies have access to very sensitive and personal information," Jepsen said in the release. “They have a duty to protect that information from unlawful disclosure.”

[In a press release,] Health Net said it would offer two years of credit monitoring and identity protection to affected customers. The insurer also has set up a hotline.

 
Tags: , , , , , , , , , , , , , , ,

Study: Data Breaches Cost U.S. Hospitals Billions

Posted on November 10, 2010 by Steve Fox and Vadim Schick

A new study by the Ponemon Institute concluded that data breaches cause enormous losses for U.S. hospitals:  on average, over a two-year period, each hospital will incur about $2 million in losses due to data breaches, which results in $12 billion cumulative loss for all U.S. hospitals.

The study also found that:

  • Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. 71% of healthcare organizations reported having inadequate resources, 52% reported having appropriately trained personnel, and 69% reported having insufficient policies and procedures in place to prevent and quickly detect patient data loss; thus leaving such organizations with little or no confidence in their ability to appropriately secure patient records.
  • Protecting patient data is not a priority for 70% of hospitals, with 67% reporting having less than 2 staffers dedicated to privacy and security issues.
  • 71% do not believe the new federal regulations pursuant to the HITECH Act have significantly changed the management practices of patient records.

 According to the Wall Street Journal's Health Blog:

  • A full 60% of the organizations included in the study had more than two data breaches over the previous two years, at a cost of $2 million per organization.

 

  • The average breach involved 1,769 lost or stolen records.

 

  • Senior personnel at the organizations surveyed felt unprepared to prevent or quickly detect breaches. Some 58% of the organizations “have little or no confidence” in the ability of their organization to detect all patient data loss or theft.

 

  • Patients were the first to detect data breaches, report 41% of the organizations.
  • Most of the respondents have either put in place an electronic medical records system or are in the process of doing so. And 74% of those with an EHR system say it has made data more secure. Another 12% said the system made no difference in security, 10% say it made data less secure and 4% were unsure.

You can read the full study by registering here.

"Study: Data Breaches Cost Hospitals $6 Billion Per Year," WSJ Health Blog (November 9, 2010).

 
Tags: , , , , , , , , , , ,

Massive Data Loss Affects Nearly Every Doctor in America

Posted on October 20, 2009 by Steve Fox and Vadim Schick

Major losses or breaches of personal information are not just for patients anymore:  The Chicago Tribune reports that the Blue Cross Blue Shield Association lost sensitive personal information, including, in some cases, social security numbers, of about 800,000 physicians -- nearly all the doctors in the United States.  As expected, this data loss came from a stolen laptop.  According to the Tribune:

The Chicago-based Blue Cross and Blue Shield Association, a trade group for the nation's Blue Cross health insurance plans, confirmed an employee "broke protocol and transferred to a personal laptop" information that was later stolen in late August.

No patient information was on the database, so concern by consumers having personal health records breached is unwarranted, the association said. And doctors have not reported security breaches.

About 16 to 20 percent of the doctors listed in the database have their Social Security numbers as their medical-care provider identification, putting these health professionals at risk for identity theft.

Despite receiving no reports of identity theft, Blue Cross Blue Shield Association is offering credit monitoring services to those providers whose Social Security numbers were exposed.

"Blue Cross warns doctors about stolen identification data," The Chicago Tribute (October 14, 2009).

Tags: , , , , , , ,