California health insurance giant Health Net announced on Monday, March 14, that it can’t find several computer server hard drives that were supposed to be located in its data center in Rancho Cordova, California. On those hard drives were the medical records, financial data, and Social Security information for almost 2 million present and previous clients.
Health Net, based in Woodland Hills, CA, provides managed-care health insurance to over 6 million people throughout the United States. They declined to comment on whether the drives had been stolen.
“Obviously something went wrong, but we don’t know,” said Health Net information department spokeswoman Denise Schmidt.
Although Health Net would not disclose exactly how many of their customers’ data had been compromised by the disappearance of the drives, the California Department of Managed Health Care estimates that about 1.9 million people’s personal information is located on the missing drives. The CDMHC also put out a press bulletin stating that a total of nine drives are unaccounted for, and that they will be conducting their own inquiry into the company’s security protocols and procedures.
This is not the first time that Health Net has fallen afoul of security measures and lost important customer information.
In 2009, UnitedHealth Group purchased Health Net’s assets in the Northeast, and the transition from the sale is still in process, though it is slowing to a halt. In January of this year, Health Net had to pay $55,000 in Vermont in the settlement of a case with similar features, when the Vermont Attorney General discovered that a portable, unencrypted computer server hard drive containing the personal data for approximately 1.5 million people had been lost. When Health Net discovered the drive was nowhere to be found, they waited more than six months to let the Vermont customers know, making them vulnerable to potential identity theft and fraud, considering the type and volume of information that had gone missing.
Health Net discovered the security problem when IBM, the company that manages the information technology for Health Net, alerted the insurer that it could not locate the hard drives. Health Net began a systems analysis and alerted the authorities, although it is conducting an internal investigation prior to filing any charges. The data on the server drives includes data on previous customers, company employees, and health care providers.
The people affected by the data loss are more than 622,000 people enrolled with Health Net programs and products which are regulated by the California State Department of Managed Health Care, in excess of 223,000 people enrolled in the California Department of Insurance products, and an unknown number of people covered by Medicare.
Conscious of its missteps with Vermont, Health New notified the affected persons that their privacy might possibly be compromised by the disappearance of the drives and has offered them two years of free credit monitoring through Debix Identity Protection Network. Debix will monitor the individuals’ credit reports for any evidence of fraud or identity theft, and will act as a mediator in the case of any fraud resolution or if any credit files must be restored.