This week Health Net, a health insurance provider to about 6 million people in the US, came clean on a data breach that occurred 2 months ago. According to the company, it lost nine server drives from its California data center on January 21, 2011. Those drives contained the data of 2 million customers, employees and health care providers. Information included names, addresses, health information, Social Security numbers and possibly financial information.
IBM, which manages Health Net’s IT infrastructure, informed Health Net management on January 21, 2011 of the potential data breach. It was only this week that the company started notifying affected people. This could be the most serious health care data breach since 2008, when the University of Utah lost backup tapes with records of 2.2 million people. To add insult to injury, Health Net had another security breach in May 2009, when they lost a portable disk drive containing the medical and financial data of 1.5 million members.
There seems to be a serious lack of process here when it comes to managing electronic media. There is also a serious misunderstanding of the breach notification laws. According to the California Civil Code, section 1798.29:
(a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
The laws are clear. If any organization suspects a data breach of personal information, they need to notify law enforcement, appropriate agencies and the affected parties in the most expedient time possible. Provisions are made for law enforcement to investigate any criminal wrongdoing and for the company to determine the cause of scope of the problem. I think that 2 months is a little excessive in either case.
What steps should you take if you are the victim of a data breach? Respond, Assess, Fix
1. Respond - the first thing is to tell people about the breach. Because of the sensitivity of personal information, you need to notify appropriate parties quickly. Tell people about the threat and what the damage might be. Notify your customers, the media, law enforcement, your employees, your investors and state or federal officials, depending on your industry. This is not the time to be timid. Help your customers deal with the exposure and provide remediation services, such as credit protection, if that’s appropriate. Failure to do so causes more harm than sticking your head in the sand. It’s better to be proactive and inform everyone, rather than having people find out on Twitter or in an online article.
2. Assess – figure out what happened and what to do about it. This may seem like the first step, but as any firefighter will tell you, first you contain the fire, then figure out how it started. You will probably discover a combination of people, process or technology breakdown. It’s rarely just one. In the case of Health Net, there was definitely a process breakdown, Determine the causes and how to prevent them from happening again.
3. Fix – create a plan, if you don’t already have one, and execute. This should include training people on information security, implementing processes to prevent the leaking of sensitive data and technologies to plug vulnerabilities. The Health Net hard drives, at a minimum, should have been encrypted.
The penalties that Health Net may incur could be severe. There are California laws affecting the data breach itself. There may be issues on reporting requirements under Sarbanes-Oxley and SEC violations about the material financial exposure resulting from the potential liability. Since this is a health care organization, there may even be violations of HIPAA regulations.
Experiencing a data breach can be devastating to any business, but informing those affected quickly is your first step. You should expect problems to occur, but how you handle them and quickly remedy the situation says a lot about your commitment to your customers, employees and investors. It’s better to over communicate than bury your head in the sand and hope it all goes away.