Connecticut officials investigating massive health data breach
Connecticut officials are investigating how a hard drive containing seven years of personal and medical information on 446,000 Health Net customers in Connecticut—and, according to published sources, another one million customers in Arizona, New Jersey and New York—went missing six months ago and was only reported lost by the insurance company this past Wednesday.

Both Connecticut Attorney General Richard Blumenthal and Insurance Commissioner Thomas Sullivan are investigating the incident.

"I am outraged and appalled by Health Net's huge loss of personal financial and medical information and its failure to swiftly inform authorities and consumers," said Blumenthal in a statement. "This information vanished six months ago, but Health Net is only now informing authorities and consumers, an inexcusable and inexplicable delay. Health Net's incomprehensible foot-dragging demonstrates shocking disregard for patients' financial security, as well as loss of their highly sensitive and confidential personal health information."

The Hartford Courant reported that the lost hard drive contained medical and personal information on a total of 1.5 million Health Net customers. According to the payor's statement, the unencrypted portable disk was “discovered missing” from the company’s offices in Shelton, Conn.

The payor said it will provide credit monitoring for more than two years—free of charge—to all affected customers who ask for the service and provide assistance to customers who have experienced identify theft, healthcare fraud or any kind of suspicious activity since the information was lost in May.

Sullivan sent a letter to Health Net asking for the following information:
  • The total number of members and providers affected by this incident;
  • The circumstances that led to the disc drive disappearing;
  • Whether there was any medical or protected health information on the missing disc drive;
  • The date that Health Net determined Connecticut consumer data was affected;
  • Documentation of Health Net’s established security procedures;
  • What security plan changes Health Net will be undertaking as a result of this incident;
  • The steps being taken to determine how this occurred; and
  • Why there was a delay in reporting this breach to the insurance department.