For the second time in less than a year, health insurance giant Health Net, Inc., is involved in a potential major breach of clients’ protected health information (PHI).
The insurer, which serves 6 million clients, is investigating the potential loss of nine server drives that included PHI and personal information of 1.9 million past and current enrollees from its data center operation in Rancho Cordova, CA, the California Department of Managed Health Care (DMHC) wrote in a press release Monday.
Though Health Net did not specify how many individuals were affected in its own March 14 press release, DMHC came to the 1.9 million total after, including the records of 622,000 of DMHC’s state enrollees in the breach.
If California’s numbers hold up, it would be the largest breach of unsecured PHI reported to the Office for Civil Rights (OCR). The HIPAA privacy and security rule enforcer began posting entities reporting breaches of 500 or more individuals in February, 2010, per a provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Right now, a breach in Manhattan that affected 1.7 million patients is No.1 on the OCR list. On February 9, The New York City Health and Hospitals Corporation (HHC) reported that it began to notify the affected patients, staff, contractors, vendors, and others who were treated by and/or provided services during the past 20 years.
The Connecticut attorney general is asking Health Net for identity theft and credit protections for nearly 25,000 Connecticut residents “because their medical and personal information may have been compromised in a nationwide data breach in early February,” according to a press release from Connecticut Attorney General George Jepsen’s office.
Health Net’s potential loss included PHI and personal information for 24,599 Connecticut residents, including 18,279 Medicare subscribers, 700 Medicaid subscribers, and 5,620 commercial subscribers.
The information may include:
- Health information
- Social Security numbers
- Financial information
IBM, a business associate of Health Net, notified the insurer that it could not locate several server drivers. IBM manages Health Net’s IT infrastructure.
“After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and healthcare providers is on the drives,” Health Net wrote on its website.
Health Net has notified the individuals whose information is on the drives. It has offered them two years of free credit monitoring services, “including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance.”
In January, Health Net paid for the third time over its loss of a portable disk drive that exposed PHI of 1.5 million people. Vermont’s state attorney general fined the insurer $55,000; the case included 525 Vermonters.
Health Net discovered the drive was missing May 14 but did not start notifying affected parties until more than six month later, the state AG’s office reported in a press release.
Attorney General William Sorrell’s January 14 complaint against Health Net, Inc., and Health Net of the Northeast, Inc. charges the insurer with violations of HIPAA, Vermont’s Security Breach Notice Act, and the Consumer Fraud Act.
For the former breach, Health Net settled with the Connecticut state attorney general’s office for $250,000 and also with the Connecticut Insurance Commission. That state AG’s office reached a settlement with Health Net in which the insurer had to pay the state $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.
It was the first such settlement for HIPAA violations involving newly-granted HIPAA lawsuit powers through HITECH.