California-based health insurer Health Net on Wednesday admitted that an external hard drive housing the medical records and Social Security numbers of 1.5 million patients went missing from its Northeast headquarters in Shelton, Conn. more than six months ago.
Company officials said the lost drive contained sensitive information dating as far back as 2002 for customers in Arizona, Connecticut, New Jersey and New York. While the data was compressed and saved as image files that require a specific and unspecified software application for viewing, the records were not encrypted.
“Protecting the privacy of our members is extremely important to us,” Health Net officials said in a statement posted on its Web site. “We apologize for any inconvenience or concern this may cause our members.”
Health Net said it will begin mailing out notifications to all the affected patients during the week of Nov. 30 and will offer free credit monitoring services for two years. It added that, thus far, there is no evidence that any of the information has been used for identity theft or other nefarious purposes.
Health Net isn’t the only insurance company that’s put patient and employee data at risk this month.
This week, MassMutual began informing employees that one of its databases was accessed by an authorized person, exposing an unknown number of employees’ personal data for months.
Earlier this month, more than 10,000 physicians’ and dentists’ personal data was exposed in New Hampshire after an employee at Anthem Blue Cross and Blue Shield transferred the healthcare providers’ Social Security numbers and other data to a personal laptop that was later stolen.
In this latest Heath Net incident, more than 446,000 Connecticut patients were affected. However, the insurer said it waited more than six months to reveal the breach to the state’s attorney general and Department of Insurance while conducted an internal forensic review and investigation into the missing drive.
This delayed response was met with skepticism and dismay by at least one state official.
“Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information,” Connecticut Attorney General Richard Blumenthal said in a statement.
Blumenthal and state insurance commissioner Thomas Sullivan are separately conducting investigations into what happened and why it took so long for the company to notify affected patients.
Health Net is based in Woodland Hills, Calif.
“We are doing everything we can to determine what information was on that disk, notify everyone affected as quickly as possible, provide the right tools to remedy any problems that may arise and answer any and every question you might have,” the company added in its statement.