Medical Data Breach of the Month Department: Health Net Once Again a Star in the Healthcare Renewal Theatre

I have written frequently about the breaches of electronic information security, such as at my posts:

"Networked EMR's and Healthcare Information Security: Practical When Massive IT Security Breaches Continue?"

"Networked, Interoperable, Secure National Medical Records a Castle in the Sky?"

"Operation Aurora And a Widespread Reluctance to Discuss IT Flaws: Is Universal Healthcare IT Really a Good Idea in 2010?"

Medical data breach of the week - but your EMR data is secure, trust us, we're IT experts

and others.

This latest medical information breach only affected a mere 2 million people this time.

Perhaps we should go for 20 million next time?

And then - there were substantial delays in notification (to give identity thieves time to get rich?)

Health Net Delays Notification of Data Breach Involving 2 Million People

By: Brian T. Horowitz
2011-03-16

Insurer Health Net waited until March 14 to disclose a data breach discovered on Jan. 21 involving the loss of nine server drives and the data of 2 million customers, employees and health care providers.

Health Net, a provider of health insurance to about 6 million people across the United States, has come under fire for reporting the loss of nine server drives at its data center in Rancho Cordova, Calif., nearly two months after it occurred.

More than 2 million Health Net members, employees and health care providers may have been affected by the data breach, including about 845,000 California policyholders, according to The San Francisco Chronicle. California regulators are investigating the breach, the newspaper reports.

How did this happen?

The insurer found out about the security lapse on Jan. 21, when IBM, which manages the company's IT infrastructure, informed Health Net that it was unable to locate server drives, according to a recording on Health Net's data breach hotline (855-434-8081).

These drives perhaps are of a new technology, with motorized robotic legs that allow them to walk away.

Or perhaps the drives were like this, where the round drive platter stacks perform double duty as wheels:


A "mobile" hard drive. Click to enlarge.


The drives just rolled away - to the tune of Steppenwolf's "Born to be Wild" ...


These drives were just Born to be Wild! Click to play.


Get your motor runnin' ... head out on the highway ...

The health benefits provider began its investigation at that time and learned that the nine drives included personal information for former and current Health Net members, employees and health care providers. The company didn't report the breach to the public until March 14.

Gee, thanks.

Health Net spokesman Brad Kieffer declined eWEEK's request for additional information on the breach but said, "We continue investigating unaccounted for server drives, and out of an abundance of caution we are notifying our members."

"Abundance of caution" and an almost 2-month delay do not belong in the same news story.

... "Given the size and type of data lost, this is a serious breach, and those affected should have been notified and protected immediately when IBM notified Health Net of the loss," Rob Enderle, principal analyst for the Enderle Group, wrote in an e-mail to eWEEK.

Indeed.

"While the delay was likely due to the belief that these drives were either misplaced or reused and not logged and the hope they would turn up on a maintenance rotation, the exposure to those that may have been compromised is excessive, and for an insurance company not to immediately mitigate this exposure—unforgivable," Enderle said.

"Hope/keeping your fingers crossed" and "due diligence/corporate responsibility" also do not belong in the same paragraph.

Information included names, addresses, health information, Social Security numbers and/or financial information, Health Net reports. .

All the news that's fit to print.


The Health Net breach could be the most serious health care data breach since 2008, when incidents affected 2.2 million people at the University of Utah and 2.1 million people at the University of Miami, according to the San Francisco Chronicle report.

Since 2008, eh, way back when, ancient history, when dinosaurs ruled the earth?

In May 2009, Health Net suffered another security breach in which a portable disk drive holding the medical and financial data on 1.5 million members disappeared from its Connecticut headquarters.

The portable disk drives must have robotic legs, too.

Data breach penalties for Health Net could be severe, according to Enderle.

Perhaps that's why they were crossing their fingers hoping the drives would turn up somehow?

Finally, I note that this company has also been busy in recent years making a name for themselves in the Healthcare Renewal Theatre in other ways. They're stars! See http://hcrenewal.blogspot.com/search/label/Health%20Net

-- SS