By: Elizabeth Litten and Michael Kline

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. As reported in a recent posting, prior to yesterday, the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network was perhaps the largest marcher in the parade of large PHI security breaches with a reported 1,700,000 persons potentially affected.  As of March 14, 2011, it appears Health Net is grappling with a breach that could involve as many as 1,900,000 persons, which would give it the distinction of having the largest and potentially loudest marching band in the Security Breach Parade.

This breach was described in a press release (issued by the California Department of Managed Care (“DMHC”):


The company [Health Net] announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare. Health Net is conducting an investigation into the drives discovered missing from its Rancho Cordova data center.  


Health Net issued a press release that does not mention the number of persons affected, and implies that its vendor, IBM, may have responsibility for the breach:


This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information. While the investigation continues, Health Net has made the decision out of an abundance of caution to notify the individuals whose information is on the drives. To help protect the personal information of affected individuals, Health Net is offering them two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance. These services will be provided through the Debix Identity Protection Network.


Health Net’s press release then (tautologically, since the press release is accessible under the “Newsroom” link at the bottom of Health Net’s home page) directs readers to Health Net’s website for more information. I was unable to find additional information about the breach or Health Net’s investigation on the website. It’s good to know that, “out of an abundance of caution” (and at what must be quite an abundance of expense), Health Net will be notifying the 1.9 million affected persons and offering them two years of free credit monitoring services. Perhaps the next large entity entrusted with PHI will exercise an “abundance of caution” by encrypting the information contained on its server drives to avoid having to march in the ever-growing Security Breach Parade. 


Health Net, however, is no stranger to the Security Breach Parade. As reported previously on this blog series, Health Net and its affiliates have made payments to the states of Connecticut and Vermont in actions brought by the respective attorneys general of those states for HIPAA/HITECH violations. It does not end there. Today the Attorney General of the State of Washington published a release that Health Net had informed the Washington Attorney General’s Office on Monday that “approximately 39,877 Washington residents” may be affected by a data breach. This developing situation warrants continued monitoring.