When a portable disk drive went missing from a Connecticut office of insurance company and Medicare Advantage contractor Health Net last May, the law required them to notify authorities and affected customers immediately. Instead they kept it under wraps until November. According to an independent security company report, they also lied about it being a theft, neglected to mention two laptop PCs were also stolen, and falsely reported the data was unreadable without special software. Some officers may be exchanging pin stripes for striped suits. Even if they do not, the story is an excellent case study in how not to handle a data breach involving patient information.
Medicare Advantage contractor Health Net (NYSE: HNT) admitted in November that a portable disk drive went missing from a Connecticut office. However, news reports now indicate the breach occurred in May, six months before Health Net reported the incident and after some affected customers learned of it via Connecticut TV news. By not reporting the breach when it occurred, Health Net could be subject to substantial fines, a loss of federal contracts and jail time for company officers, or all three.
Health Net sells health insurance in Arizona, California, Connecticut, New Jersey, New York, Oregon and Washington, is a Medicare Advantage contractor and sells pharmacy plans in other states.
At first, Health Net claimed that the breach was not reportable because data was only stored on the disk in an image format and could not be accessed without “special” software. However, the security company hired by Health Net, Kroll, concluded that the data could be easily accessed through common, commercially available software such as Adobe Reader.
Kroll also revealed that two laptop PCs were also stolen at virtually the same time and that Health Net did not report that theft. The number of affected patients is likely to reached into hundreds of thousands. Connecticut Attorney General Richard Blumenthal
has accused Health Net of intentionally downplaying the breach, both by failing to report it and by understating just how vulnerable its customers now are.
Learning that the incident may have been a theft rather than a case of a disk being misplaced, as Health Net originally claimed, and that as many as 446,000 patients in Connecticut alone might have had their social security and bank account numbers exposed, AG Blumenthal increased the size of his investigation last week. He has asked federal criminal authorities to investigate the potential theft that he says could have national ramifications.
“An independent investigative report shreds Health Net’s sanitized story,” Blumenthal told reporters, “revealing that this severe security breach was most likely a theft, and that two laptops were also stolen from Health Net’s facility at virtually the same time. [Kroll's] report dramatizes Health Net’s unconscionable delay in notifying law enforcement and its customers about this breach.”
Blumenthal said the likelihood that the drive was stolen should have raised alarms that sensitive information could be exploited for criminal purposes, and prompted a rapid response and timely disclosures both to affected members and law enforcement. He publicly accused the company of going “out of its way to dismiss and downplay this serious security breach when it should have been focusing on notifying and protecting people who may be at risk of financial fraud or having health information leaked.”
He has demanded a meeting with Health Net staff where he will seek answers to questions about the theft and the delay in reporting it. Previously, Blumenthal had announced his office would conduct an antitrust probe into Health Net’s sale of its Northeast licensed subsidiaries to UnitedHealth Group (NYSE: UNH), including the possibility of quitting all Connecticut business. That investigation is continuing.
HIPAA Privacy and Security regulations require covered entities to notify authorities and to personally contact every potentially affected customer or patient as soon as it learns that personally identifiable health information may have been lost or stolen.
