Wednesday, March 30, 2011

Health Net Loses More Patient Records

This month news came out that Health Net lost another 1.9 million patient records. This comes on the heels of a 1.5 million record loss just two years ago.

A previous data loss event happened in May of 2009, but the company only informed the state Attorneys General where disclosure laws exist, and that took nearly six months. They plan to, but have not yet, informed those affected. Vermont fined Health Net $55,000 on behalf of the 525 state citizens who were affected. And Health Net paid $525,000 to settle two claims with the state of Connecticut.

In the healthcare industry, the new HITECH provisions of the HIPAA rule address these data loss events. They require that an organization notify affected individuals within 60 days of a breach. Though there are provisions which would negate the obligation to notify (such as strong encryption or quick recovery), in the Health Net case these do not apply.

In the May 2009 event, the company claims it took six months to identify what and whose data was lost. The information was stored unencrypted on a portable disk drive. Not to worry, they say, the data was compressed only readable using specialty software. There are at least three things wrong with these positions.

Companies need to know where their sensitive information is stored. Health Net claims that it took six months of forensic investigation to determine what was lost. There may be several explanations for this. Maybe they just don't know what they store where. Or maybe those trying to figure it out weren't good or didn't spend much time doing it. Or it's possible that the right people didn't know about the drive, didn't know it was lost or didn't know it may have contained sensitive information. But in the end, it comes down to a basic lack of data and asset tracking.

Portable media is at high risk of theft and loss, so sensitive data stored there should be protected. Physical protection would mean keeping the media in authorized and secured areas; logical protection would mean encryption. But Health Net failed to do this.

Though the data is supposedly unreadable without special software, I doubt this is the case. I've sometimes found that proprietary formats - for which custom software is often very expensive - are nothing more than standard formats with cryptic file names. If you open the file with a text editor, document editor, image viewer or other widely available software, many times you have no problem extracting the data.

But this problem isn't one that exists for Health Net alone. The DataLossDB catalogs many of the data loss events that happen. Others remain undisclosed and unknown.