Health Net Breach — A Failure of People, Process & Technology
The recent Health Net data breach of 1.5 million patient records due to a lost hard drive included unencrypted personal information such as names/addresses, medical records, Social Security numbers and other financial information. A breach of this magnitude is shocking and what is more astounding is that the breach apparently occurred in May 2009 and was not reported to the Connecticut Attorney General’s office until this month (November, 2009). The breach may be a gross negligence of HIPAA, FTC “Red Flag” Regulations, Connecticut’s Public Act 08-167, CGS 36a-701(b) and other state regulations/breach laws.
I am sure that Health Net, like most companies, felt they developed the necessary controls to meet such regulations. But a breakdown of this magnitude proves a failure of the company to institute “strong enough” information security policies, employee awareness programs and technology across the company to protect against this major corporate risk. That is why we have been advising our clients to develop a risk-based information protection plan that estimates their potential loss against the cost of securely controlling and protecting their information assets. The monetary penalties and consequences to Health Net for this breach will far outweigh the “should-have” preventative costs of deploying the right controls for this threat. If the lost hard drive were encrypted, I wouldn’t even be writing this blog.
In his statement, Attorney General Richard Blumenthal stated that “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”
This is not an option: *Information security programs that include people, process, technology and partners must be vigorously managed and improved upon over time.* Comments are welcome.
Leave a Reply