December 7, 2009
AMERICAN MEDICAL NEWS | Health Net in November announced that thousands of its members and network physicians could be at risk for identity theft due to a lost portable disk drive that the company said had "gone missing" six months earlier.
However, the disk drive containing millions of image and text files could only be interpreted with software proprietary to Health Net, spokeswoman Alice Ferreira said. "For a layperson it would be difficult to understand what was on the drive."
Information included claims data from 2002 to the present for members in Connecticut, New Jersey and New York, along with associated physician information. Ferreira said she could not speculate about how many physicians would be affected.
Health Net had about 580,000 members in those three states as of Sept. 30, but the disk also contained information about past members.
According to the Connecticut State Medical Society, as many as 5,000 physicians in that state alone could be affected by the breach.
"We are especially concerned because health insurers keep more personal information on file for physicians than they do for patients," said Matthew Katz, executive vice president of CSMS.
The portable disk drive disappeared from Health Net's Shelton, Conn., office in May, but no one outside the company, including the state insurance commissioner, was notified until Nov. 18.
Ferreira said that for the intervening six months, the company was conducting its own investigation, with the help of forensics experts, to figure out what exactly was on the drive. The final report was delivered the week of Nov. 18, she said. "If we had gone any earlier we would still be in the midst of investigation."
She said physicians in Health Net's Northeast network would receive letters notifying them of the breach.
The company has agreed to pay for two years of credit monitoring for affected doctors and patients who request it, as required by Connecticut Insurance Commissioner Thomas R. Sullivan. Instructions for making that request will be in the letters to physicians, Ferreira said.
She said there has been no sign that the information has been misused, but that the credit monitoring and repair services would be retroactive to when the disk drive was lost.
Sullivan sent a letter to Health Net asking for more information about the data breach, and gave them until Dec. 1 to respond.
He asked exactly how many people were affected, what led to the loss of the disk drive and whether it contained protected health information. Sullivan also sought documentation of Health Net's security procedures, an explanation of what changes the plan has made in response to what happened, and why it took so long for the company to notify his office.
"Rest assured that my office is committed to a thorough review of this situation, and will determine next steps and appropriate enforcement action," the commissioner said in a news release.
This is the second reported insurance company data breach this year involving thousands of physicians. The other came to light in October when BlueCross BlueShield-affiliated plans across the country began notifying physicians that a laptop belonging to an employee of the Chicago-based BlueCross BlueShield Assn. was stolen in August.
An unencrypted file containing identifying information for every Blues-contracted physician in the country -- about 850,000 physicians in total -- was saved on the laptop. So far there's been no evidence the data have been misused, but state regulators have been critical of the Blues for allowing the breach to happen and for taking months to report it.
AMA delegates at their November Interim Meeting passed a resolution calling for Blues plans to pay for five years of credit monitoring for affected physicians, and for any health insurer that experienced a similar breach to notify physicians immediately. The Blues are covering credit monitoring for one year.
UnitedHealth Group is set to acquire Health Net's Northeast business in a deal reached in July.
Health Net's members in the Northeast will have to option to renew with United, and the final value of the deal will depend on how many of them do so. The acquisition is pending regulatory approval.