March 15, 2011, 12:53 PM — Health Net, a provider of managed health care services, yesterday said that it's alerting some 1.9 million customers that nine server drives containing personal and health data were recently discovered missing from a data center in Rancho Cordova, Calif.
The data center is managed for HealthNet by IBM, which notified the insurer about the missing drives, HealthNet said in a statement.
An initial probe has found that the missing drives contained names, addresses, Social Security numbers, financial information and health data of current and former Health Net members, employees and health care providers, the statement said.
Health Net said it will offer two years of free credit monitoring services to the affected individuals.
In its statement, Health Net didn't disclose the number of people affected by the breach nor the number of drives that went missing. That data was contained in a separate alert , also issued Monday, by the California Department of Managed Health Care (DHMC).
The DHMC alert said the breach affects nearly 845,000 Health Net customers in California. The DHMC said it's also investigating the breach.
In a similar alert in Connecticut , Connecticut's Attorney General George Jepsen said the Health Net breach affected nearly 25,000 residents in the state. According to Monday's alert from Jepsen's office, the drives were likely discovered missing in early February.
Health Net did not respond to a call seeking comment on the California and Connecticut alerts.
Less than 18 months ago, in November 2009, Health Net had disclosed that a server hard drive containing seven years of personal financial and medical information had gone missing. At the time, Health Net was criticized for waiting six months to publicly disclose the breach.
For instance, HHS in February imposed a civil penalty of $4.3 million on Cignet Health for not providing 41 patients access to their medical records when they asked for it, as required under HIPAA rules. The action marked the first time that the HHS had imposed such a fine over a privacy violation.