Connecticut is to investigate a huge loss of health data by an insurer.
Apparently the California-based firm Health Net lost hundreds and thousands of patient records last May but waited six months to disclose the incident. Connecticut Attorney General Richard Blumenthal said the six-month delay could be a violation of the law.
A portable external hard drive with seven years of personal and medical information on about 1.5 million Health Net customers, including 446,000 in Connecticut disappeared from the insurer's office and the insurance company informed the state attorney general's office and the Department of Insurance only last Wednesday of the security breach, Hartford Courant reported.
The hard drive contains Social Security numbers, medical records and health information dating to 2002 for 1.5 million customers past and present in Arizona, Connecticut, New Jersey and New York.
The data was not encrypted; however, a specialized computer program is required to read it, the attorney general's office said. Nevertheless, Health Net may have violated state and federal law, it was felt.
"I am outraged and appalled by Health Net's huge loss of personal, financial and medical information and its failure to swiftly inform authorities and consumers," Blumenthal said. "This information vanished six months ago, but Health Net is only now informing authorities and consumers, an inexcusable and inexplicable delay."
The insurers defended themselves saying they undertook a lengthy investigation, including a detailed forensic review by computer experts, before going public on the issue.
While asserting that they would go all out to protect the privacy of their clients, they also noted that to date there was no report of misuse of any of the data that has now disappeared.
However, Health Net will provide credit monitoring for over two years - free of charge - to all impacted members who elect the service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment.
Attorney General Blumenthal vowed that he would "vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted." He also said his office will demand identity theft insurance and reimbursement for credit freezes, along with credit monitoring, for at least two years, for all of the impacted consumers.
"My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long," Blumenthal said. "The company's failure to safeguard such sensitive information and inform consumers of its loss -- leaving them naked to identity theft -- may have violated state and federal laws."
Anthem Blue Cross and Blue Shield, a unit of WellPoint Inc, is also facing a data breach investigation by Blumenthal, who recently alleged the health insurer waited two months to tell 18,817 health care providers in the state that a laptop computer containing their personal information, including some Social Security numbers, was stolen.
Blumenthal said he will demand Health Net provide consumers with comprehensive, long-term identity theft protection.
"My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long," Blumenthal added. "The company's failure to safeguard such sensitive information and inform consumers of its loss -- leaving them naked to identity theft -- may have violated state and federal laws. I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted."