After Health Net, Inc. in California announced Monday that several data servers containing sensitive health and personal information on its enrollees are unaccounted for, state officials said the security breach involves "personal information for 1.9 million current and past enrollees nationwide."
The California Department of Managed Health Care, the only stand-alone HMO watchdog agency in the nation, also provided further details beyond the plan's statement, saying that the missing records on nine servers are "for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in the California Department of Insurance products (another state agency that has oversight responsibility) and a number enrolled in Medicare."
"The DMHC has opened an investigation into Health Net's security practices," said DMHC spokesperson Lynne Randolph. "Health Net has agreed to provide two years of free credit monitoring services to its California enrollees, in addition to identity theft insurance, fraud resolution and restoration of credit files, if needed."
In a statement posted on its website, Health Net did not specify the number of servers, saying only that there are "several," nor did the company specify the number of enrollees whose data may be compromised. It characterized the files as "unaccounted for." Asked if the DMHC's statement regarding the scope of the breach is accurate, Health Net spokesman Brad Kieffer says, "Our press release constitutes our statement to the media."
The Los Angeles-based health plan said the investigation "follows notification by IBM, Health Net's vendor responsible for managing Health Net's IT (information technology) infrastructure, that it could not locate several server drivers.
"Personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information," the Health Net statement said.
Health Net says it is notifying the individuals whose information is on the drives "out of an abundance of caution."
Health Net says that it provides health benefits to approximately 6 million people in the U.S. through health plans and government-sponsored managed care plans in group, individual, Medicare Part D, Medicaid, Department of Defense and TRICARE and Veterans Affairs programs. Its behavioral health services subsidiary, Managed Health Network, Inc., provides behavioral health, substance abuse and employee assistance programs to approximately 5.4 million individuals.
Health Net also includes this statement: "To help protect the personal information of affected individuals, Health Net is offering them two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance. These services will be provided through the Debix Identity Protection Network."
The files reportedly went missing from Health Net's data center in Rancho Cordova, near Sacramento.
This is the second time in less than a year that the large national health plan had a major breach of personal health information.
In January of this year, Health Net paid for the third time over its loss of a portable disk drive that exposed PHI of 1.5 million people. Vermont's state attorney general fined the insurer $55,000; the case included 525 Vermonters.
Health Net discovered the drive was missing May 14 but did not start notifying affected parties until more than six month later, the state AG's office reported.
Vermont Attorney General William Sorrell's January 14 complaint against Health Net, Inc., and Health Net of the Northeast, Inc. charges the insurer with violations of HIPAA, Vermont's Security Breach Notice Act, and the Consumer Fraud Act.
Regarding the same breach, Health Net not only settled with the Connecticut state attorney general's office for $250,000, but also with the Connecticut Insurance Commission. That state AG's office reached a settlement with Health Net in which the insurer had to pay the state $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.
Additional reporting provided by HCPro's Dom Nicastro.