Health Net, a Woodland Hills, California-based managed healthcare provider realized that a missing hard drive contained protected health information (PHI). It affected 1.5 million customers, and 466,000 in Connecticut alone.

“The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification

letters the week of Nov. 30.”, according to a SearchSecurity News article.

Connecticut Attorney General Richard Blumenthal comments: “My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”

Although disk encryption could not have prevented the drive from being lost it certainly could have prevented unsecured protected health information from being accessible to unauthorized individuals. Federal breach notification rules under HIPAA/ARRA/HITECH Act took effect in September, 2009, but will be start being enforced until February, 2010.

Related articles by Zemanta

• Hacker Pleads Guilty in Vast Theft of Card Numbers (nytimes.com)
• NJ man indicted in Web name theft, sale on eBay (seattletimes.nwsource.com)
• Man pleads guilty in massive ID theft case (cnn.com)
• Plea deal reached in huge credit-card data theft (cnn.com)
• TJX Hacker Agrees to Guilty Plea; Faces 15 to 25 Years (wired.com)
• Identity theft: Three accused over biggest bank card scam in US history (telegraph.co.uk)
• Health Net healthcare data breach affects1.5 million (deurainfosec.com)
• Health Insurer Loses 1.5 Million Patient Records (wired.com)
• Health Net Data Breach – 1.5 Million Records At Risk With Missing Portable Hard Drive (ducknetweb.blogspot.com)

Tags: breach notification, healthnet, PHI

This entry was posted on Thursday, November 19th, 2009 at 11:46 am and is filed under HIPAA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.