Health Net Breach Exposes 1.9 Million Records

Insurers second major breach due to lost drives

National health insurer Health Net started informing customers this week of a data breach in January that exposed as many as 1.9 million customer records. The breach came after its IT vendor IBM misplaced nine server drives following a move to a new data center.
This investigation follows notification by IBM, Health Nets vendor responsible for managing Health Nets IT infrastructure, that it could not locate several server drives, Health Net said in a statement it posted on its website on Monday. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information.
This was Health Nets second major breach in two years involving lost drives: Health Net of Connecticut
agreed to pay $375,000 in penalties
after losing a disk drive in 2009 that exposed the personal information of about 1.5 million Health Net customers, including 500,000 Connecticut members.
Meanwhile, Californias Department of Managed Health Care is now planning to investigate Health Nets security practices in the wake of the latest breach.
According to the most recent Ponemon Institute figures, the average data breach costs healthcare organizations $345 per records. Using those numbers, this breach could cost Health Net upward of $655 million when all is said and done. Thats a little more than 5 percent of Health Nets projected $12 billion revenue for 2011.
I dont know how much this industry is going to pay to make that mistake over and over again, says Josh Shaul, CTO of App Sec, who explains that lost media is a constant source of database losses across healthcare and other industries. Its a joke now: The tape fell off the truck. And heres the equivalent of it, and were talking about $650 million worth of tape that fell off that truck.
According to Mel Shakir, CTO for NitroSecurity, these types of incidents are often the result of a lack of appropriate policies and procedures in place by the organization responsible for both the physical and logical protection of critical data.
There have been so many breaches like this, whether it was hard drive or back-up tapes, Shakir says. Every time it really comes down to policies and procedures. You cannot simply have tools and technologies -- you have to have good policies in place to be able to handle the data safely.
Not only that, but when organizations outsource data center operations, they need to ensure that the third party in charge is working by a set list of policies and procedures, experts say.
What I think is also interesting is that the servers are managed by another company, says Geoff Webb, director of product marketing at Credant Technologies. This is the classic dilemma for organizations. Its almost like a Shakespearean tragedy; you can almost see from the beginning how things can go bad. Health Net is now on the hook for all that has been potentially lost and the bad publicity that goes with it. And yet the operations of those systems were managed by another company doing it for them.
AppSecs Shaul says that no matter how well respected the outsourcer, organizations must plan for security and breach prevention within their outsourced contracts.
You have to make sure you put the rules and process in place to make sure it happens, he says. Even if you hire IBM, you still need some oversight around data security. You at least need to write into the letter of the contract that the provider is going to take very specific steps and follow documents and processes to protect your information.
Something so simple as not encrypting the data on the media that is being shipped to one data center or another or being decommissioned makes a difference. That data should have been encrypted or it should have been wiped and that should have happened long before those drives were pulled from the servers, he says.
IBM had not yet responded to press inquiries about the breach as of this posting.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Health Net Breach Exposes 1.9 Million Records