Health Net has announced the loss of a portable disk drive which has resulted in a data breach of 446,000 people. Data security programs, such as full disk encryption from AlertBoot, were not used to secure the personal information. This happened six months ago, and, boy, is Connecticut’s Attorney General Blumenthal angry.
Looks Like Health Net Didn’t Even Consider The Possibility of a Breach
It seems to me that Health Net just was not prepared for a breach. At all. Not only have they notified the state’s AG six months after the incident took place, and not used encryption software to protect what can only be described as a database of patient information, but they weren’t aware of what was on that missing drive.
Maybe it took them 6 months just to figure out what was on it? Even so, it seems like an inordinately long period. An investigation by Health Net led them to conclude the following:
SSNs and bank account numbers 446,000 Connecticut patients, past and present, were included
The information was not encrypted, but compressed, which requires a data compression program to make sense of the data
Compression programs, however, are free to download. My guess is that Health Net probably used an easily available one such as WinZip, so I wouldn’t put too much faith on that to protect the data.
More Than 446,000 Affected?
Initially, I got the feeling that more than 446,000 people were affected. Why? The emphasis on 446,000 Connecticut patients. Health Net does business in at least seven states (which actually extends to all 50 when taking into account subsidiaries) but they would report CT patient figures only to that state’s Attorney General (like many companies have done in the past).
However, seeing how the external drive was stolen from a Shelton, CT office and Health Net’s headquarters is in California–and there’s no corresponding news from California, the state where legislation on breach notification letters was first passed–I think it’s safe to assume 446,000 is all there is to it.
Which is a lot.
Paying for Two Years of Credit Monitoring
Blumenthal has demanded at least two years of identity theft protection from Health Net, and the company has acquiesced.
They did note that, so far, they have not received any reports of data misuse. Which, as far as I’m concerned, is just a preposterous observation. Why would people contact their HMO if they fall victim to identity theft? Would they even suspect their HMOs? Especially considering that no one but the HMO was aware of the data breach? Preposterous.
Even more questionable is the lack of encryption on that portable drive, or at least on the file that contained patient data. Health Care now has managed to anger the state AG and their patients, and is in breach of a number of laws, including HIPAA.