Health Net data loss second major insurer breach of 2009

A disk drive containing patient and physician information dating to 2002 was lost, but the company said the data could not be extracted easily.

By Emily Berry — Posted Dec. 7, 2009

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Health Net in November announced that thousands of its members and network physicians could be at risk for identity theft due to a lost portable disk drive that the company said had "gone missing" six months earlier.

However, the disk drive containing millions of image and text files could only be interpreted with software proprietary to Health Net, spokeswoman Alice Ferreira said. "For a layperson it would be difficult to understand what was on the drive."

Information included claims data from 2002 to the present for members in Connecticut, New Jersey and New York, along with associated physician information. Ferreira said she could not speculate about how many physicians would be affected.

Health Net had about 580,000 members in those three states as of Sept. 30, but the disk also contained information about past members.

According to the Connecticut State Medical Society, as many as 5,000 physicians in that state alone could be affected by the breach.

"We are especially concerned because health insurers keep more personal information on file for physicians than they do for patients," said Matthew Katz, executive vice president of CSMS.

The portable disk drive disappeared from Health Net's Shelton, Conn., office in May, but no one outside the company, including the state insurance commissioner, was notified until Nov. 18.

Ferreira said that for the intervening six months, the company was conducting its own investigation, with the help of forensics experts, to figure out what exactly was on the drive. The final report was delivered the week of Nov. 18, she said. "If we had gone any earlier we would still be in the midst of investigation."

She said physicians in Health Net's Northeast network would receive letters notifying them of the breach.

The company has agreed to pay for two years of credit monitoring for affected doctors and patients who request it, as required by Connecticut Insurance Commissioner Thomas R. Sullivan. Instructions for making that request will be in the letters to physicians, Ferreira said.

She said there has been no sign that the information has been misused, but that the credit monitoring and repair services would be retroactive to when the disk drive was lost.

Sullivan sent a letter to Health Net asking for more information about the data breach, and gave them until Dec. 1 to respond.

He asked exactly how many people were affected, what led to the loss of the disk drive and whether it contained protected health information. Sullivan also sought documentation of Health Net's security procedures, an explanation of what changes the plan has made in response to what happened, and why it took so long for the company to notify his office.

"Rest assured that my office is committed to a thorough review of this situation, and will determine next steps and appropriate enforcement action," the commissioner said in a news release.

This is the second reported insurance company data breach this year involving thousands of physicians. The other came to light in October when BlueCross BlueShield-affiliated plans across the country began notifying physicians that a laptop belonging to an employee of the Chicago-based BlueCross BlueShield Assn. was stolen in August.

An unencrypted file containing identifying information for every Blues-contracted physician in the country -- about 850,000 physicians in total -- was saved on the laptop. So far there's been no evidence the data have been misused, but state regulators have been critical of the Blues for allowing the breach to happen and for taking months to report it.

AMA delegates at their November Interim Meeting passed a resolution calling for Blues plans to pay for five years of credit monitoring for affected physicians, and for any health insurer that experienced a similar breach to notify physicians immediately. The Blues are covering credit monitoring for one year.

UnitedHealth Group is set to acquire Health Net's Northeast business in a deal reached in July.

Health Net's members in the Northeast will have to option to renew with United, and the final value of the deal will depend on how many of them do so. The acquisition is pending regulatory approval.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn