I had to read the letter I got from Health Net about a possible data breach twice, for several reasons. First there was the notice that the incident was prior to January 21, 2011. That’s when “IBM informed us the company could not locate several hard disk drives that had been used in Health Net’s corporate servers….”
Notice that’s not when the hard drives went missing, necessarily, it’s when IBM told Health Net about it. The drives were decommissioned when Health Net moved its data center operations in Rancho Cordova, CA, to IBM’s facility in Boulder, CO. Back in March, Health Net announced the “unaccounted-for server drives” contained information on “some” customers. (We’re going to come back to that “some.”)
Then there is the date of the letter actually informing me that I’m in the unaccounted-for pool: July 27, 2011. Six full months for data thieves, if that’s what happened, to get a head start on looting, with “details such as your name, address, health information, Social Security number and your financial information.”
Lastly, Health Net writes, they wanted to tell me about the incident–again, six months after a “continuing” investigation has been started–out of “an abundance of caution.” (Here, the ghost of Inigo Montoya whispers to me that he doesn’t think that phrase means what they think it means.)
What’s not in the letter? I’m glad you asked. The letter doesn’t admit that the hard drives contained data on some two million Health Net customers. (If you got your small business health insurance through Costco, as I did, then you have Health Net.) About 40,000 Washington residents had their data breached, and 130,000 Oregonians.
Also, Health Net initially told thousands of customers that their Social Security numbers were not on the drives, before confirming that, in fact, they were.
Nor does the letter mention that Health Net, in 2009, reported a breach involving 1.5 million customers. It also fails to mention that Health Net was sued by the Connecticut attorney general, in part, for taking six months to alert customers to that breach: “Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.”
It doesn’t seem like the lesson took. The Foley Hoag legal blog muses that if Health Net is penalized in proportion to Massachusetts General Hospital, the payout would $9 billion. Somewhat more than the two years of “free” identity fraud protection that Health Net is offering its customers through Debix.com.