HealthNet: Your Data May Have Been Stolen Several Months Ago

HealthNet has been sending letters out to current and former clients notifying them that it lost medical and financial data on 1.5 million customers in May. The News-Times of Danbury, Conn. reports HealthNet sat on the news until recently.

The News-Times reports:

In the letter sent to its customers, Health Net said the information covered the period from 2002 to mid-2009. Once it discovered the loss, it hired forensic investigators to study the extent of the loss before informing authorities and the customers involved.

The investigation determined the disk drive not only contained basic patient information, like Social Security numbers, that could be used in identity theft, but also “possibly your protected health and financial information,” the letter said.

“Fortunately, the files on the missing disk drive were not saved in a format that can be easily accessible and, therefore, we believe the risk of harm to you is low,” the letter said.

The letter also says it will offer affected customers identity theft and credit protection until December 2011.

What does HealthNet need to do to make up for the gaffe?

Health Net customers’ medical, financial data missing [NewsTimes]
(Thanks, nfsf1lm!)

Comments

Edit Your Comment

  1. WinterDog says:

    Hire Hiro Nakamura and go back in time? No? Then a hefty fine is surely warranted. This is beyond unacceptable. How comforting that the files are saved in a format accessible only by a certain program or programs. As if anyone without scruples couldn’t find and download the proper program in minutes. Absurd.

    • cheri0627 says:

      Although this breech isn’t covered, the HITECH Act requires reporting of breeches of Personal Health Information (effective September 23, 2009). If it’s 500 or more people in a state or jurisdiction, it requires notifying major media outlets, as well as the people impacted and the department of Health and Human Services. Also depending on how the breech happened, the person or people who caused it may not be subject to fines. (Depending on who was involved, this may change with HITECH Act, but not as of yet.)

    • Julia789 says:

      Even without the program, I’m sure there is a way to extract the text from the files quite easily.

  2. pop top says:

    I don’t see why protected information like SSNs, credit card numbers, etc. are ever put onto laptops, thumb drives, CDs, disks…anything that’s small and portable and easy-to-lose. Remember that huge fuck up with the VA where they lost millions and millions of people’s info? That was because some idiot forgot a damn laptop. I understand that not all huge data thefts occur that way, but it seems like a good way to eliminate a large portion of them.

    • Julia789 says:

      They may have a company policy that forbids putting sensitive information on portable devices. However in all my years working for a huge corporation, I’ve noticed that “company policy” only means that you get in extra trouble if you get caught. It doesn’t mean there is any procedure in place to prevent something.

      Better would be to have something in the program where the data is stored that prevents it being exported.

  3. ariven says:

    Yay, I got this letter last week… so far I am the only one at work who admits to getting it. The identity theft/credit protection they are giving us is by Debix, and doesn’t look too bad as far as things go.

    Personally I would prefer to have them take reasonable care of my data mind you…rather than having to pony up for 2 years of protection.

  4. demitasse says:

    Oh man, I love me some Otto Dix.

  5. jp says:

    I got the letter. Signed up with Debix which is the credit protection company they are using. Was really impressed signing up with Debix with all of their security features. Don’t think I would pay for one of these services though. They are giving 1 million insurance to fix everything if anything does happen to my identity.

  6. AllanG54 says:

    I got this too and signed up for the credit monitoring but I’m surprised that they didn’t include the wife so I have to call them because I’m sure if my stuff was swiped hers was as well.

  7. SNForrester says:

    Darn it. I got the letter and shredded it. D’oh! It looked like junk mail and it said something about how great they are handling my private data. I guess I missed the point of the letter. Now I have some calls to make. :(

    • SNForrester says:

      Well that was easy. There’s a joint Debix/HealthNet Data Breach hotline that you can call to ask questions and set up credit protection if you’re on their list. In case anyone is interested, the number is (877) 676-0380. You don’t have to give them your SSN. You just have to confirm your name and birthday. This may be a good option for people wary of sending private information through the mail.

      • Julia789 says:

        Thanks for that info. I’m going to check into that hotline and also check out the website, which they say is secure. I was wary of mailing that return envelope with the big label announcing it’s got credit protection info inside.

  8. ckaught78 says:

    I got a letter on Saturday. At least they are offering creidt protection. Some companies won’t. My mother had her information stolen off the conmputer of a blood bank where she used to give blood. All they did was send her a letter saying oops, and sorry. It is situations like these where I wouldn’t mind the government stepping in and requiring all companies who loose a customers information to give some type of credit protection to those customers.

  9. ckaught78 says:

    I got a letter on Saturday. At least they are offering creidt protection. Some companies won’t. My mother had her information stolen off the conmputer of a blood bank where she used to give blood. All they did was send her a letter saying oops, and sorry. It is situations like these where I wouldn’t mind the government stepping in and requiring all companies who loose a customers information to give some type of credit protection to those customers.

    • Julia789 says:

      I noticed at the red cross where I give blood every two months, that they have my info all on a laptop – social security number, medical information, date of birth, etc. They carry those laptops around on a bus to get donations at various events, too. Makes me nervous.

  10. Shoelace says:

    So if the thieves are patient they can now plan to steal identities starting in Jan 2012. While some clients may decide to continue their identity and theft protection after Dec 2011, I think many won’t (unless someone tries to steal their identity before then). They’ll still have the same SS#s.

    If the companies that allow these thefts to occur got really huge fines then this would happen less often.

  11. Julia789 says:

    I got a letter last week from HealthNet saying my information, my husband’s information, and my child’s information was all missing. Social security numbers, date of birth, personal contact information, and sensitive medical procedure information.

    They offered two years of free credit protection service from a company I’ve never heard of before, signing up for which involves mailing your sensitive personal information in a paper thin return envelope which people can read your social security number right through the envelope. The envelope makes it obvious it’s for a credit protection service also, which just begs someone who wants to open a bunch of credit cards in my name to steal the envelope.

    • ariven says:

      The letter I got included a method to sign up online through a secure site.

      • Julia789 says:

        Yes, thanks. I am going to check that out and make sure it looks secure, and try that route. Someone else mentioned a hotline that HealthNet set up, so people can set up the service over the phone directly with the credit monitoring service. I’ll look into that option as well.

  12. vastrightwing says:

    We will be able to rest better after the government starts running our health care knowing that all our sensitive data will be 100% safe! {laugh} {laugh}

    • SNForrester says:

      This is a strange comment given that HealthNet is a private company. Data security is difficult for everyone.

  13. Nemesis_Enforcer says:

    Ahh good old Healthnet, great to see not much has changed since I worked for them. It is funny that we had to verify 4 different pieces of information before we could even ask someone what they were calling about. Yet IT was constantly searching for drives and laptops that the managers and sup’s lost. One time I had to take my own personal laptop to IT so they could make sure it wasn’t one of the missing ones. Never mind that I had a HP and all the company laptops were Dell… They pretend to care about PHI (protected health information) but it was just a show to keep investors and the public happy.

  14. trujunglist says:

    If they send me this letter they will be paying for credit protection much longer than Dec. 2011. Who the fuck would accept such a measly pos offer

  15. Schemer says:

    My identifying information was stolen from Batteries.com and my husband is military so his SSN is all over everything and, of course, our family has HeathNet/Tricare, so our identity is pretty much screwed any way you slice it.