There were stories yesterday like this one at Health Leaders Media and this one at the LA Times reporting that California-based insurer Health Net has suffered yet another massive data breach, this time involving 1.9 million current and past customers, health-care providers and employees. The information involved may include their names, addresses, health information, Social Security numbers and/or financial information, the company said.
In 2009, Health Net reported that a hard drive containing seven years worth of financial and medical information on 1.5 million customers went missing. The drive was lost in May of 2009, but this fact wasn't reported until November of that year. The company was fined by both Vermont and Connecticut for that little oversight and for not taking adequate care of its customers' sensitive information.
This time, as many as nine servers have gone missing from Health Net's data center that is operated by IBM and is located in Rancho Cordova, California. According to its statement, the company said it is conducting an investigation into the loss.
Furthermore:
"To help protect the personal information of affected individuals, Health Net is offering them two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance."
This protection is being offered out of what the company calls "an abundance of caution."
No doubt getting hit with heavy fines by state regulators for the previous data breach also helped increase that abundance of corporate caution, which would have been very useful before the servers went missing.
Earlier this month, there was another health-related data breach reported involving some 300,000 people. This incident involved three unencrypted storage tapes, a laptop, a zip drive and a hard drive all being stolen from the car of an employee of the Cord Blood Registry, which its website says, is a "cord blood bank [that] has helped many families use their stem cells for lifesaving transplants and other therapies."
The theft took place in mid-December of last year, but was only disclosed in early March of this year.
According to this blog post at NetWorkWorld, the company says that:
"The tapes may have contained personal client data of adults (credit card numbers, driver's license numbers or social security numbers); nothing on children and no health information at all."
The Cord Blood Registry is offering free credit monitoring for a year for those affected.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
