Health Net is a regional health plan and the drive included health information, social security number and bank account numbers for all 446,000 Connecticut patients, he said. The information had been compressed, but not encrypted, although a specialized computer program is required to read it.
Health Net officials said they were not able to determine which information was on the disk, so they investigated and learned the information was saved in an image format that cannot be read without special software, but it contained personal information for many past and present Health Net members.
Blumenthal said he’s “outraged” that the company never told customers or police and only told the AG on Wednesday.
Blumenthal is investigating and demanding that Health Net provide consumers with at least two years of identity theft protection, identity theft insurance, reimbursement for credit freezes and credit monitoring for at least two years for all 446,000 consumers.
The state Insurance Department is also investigating and looking for information, including what led to the disc drive disappearing, what information is missing, HealthNet’s security procedures and changes they plan.
Health Net will provide credit monitoring for more than two years, free to all the people impacted who decide to use this service. If customers find suspicious activity between May 2009 and the date the identity protection service starts Health Net will provide assistance. They have not received any reports of data misuse.
“Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information,” Blumenthal said. “Personal information is like cash and should be guarded with equal care. Casual and cavalier attitudes toward data protection and breaches are intolerable and must stop.”
"Protecting the privacy of our members is extremely important to us," Health Net officials said in a statement. "We apologize for any inconvenience or concern this may cause our members."