A hard drive with seven years of personal and medical information on about 1.5 million Health Net customers, including 446,000 in Connecticut, was lost six months ago and was first reported Wednesday, state and company officials said.
The insurance company informed the state attorney general's office and the Department of Insurance Wednesday of the security breach that puts personal medical records at risk in a historic lapse, the first of its kind to be publicly reported.
A portable, external hard drive with Social Security numbers and medical records "disappeared" and is still missing from the insurer's Northeast headquarters in Shelton, a Health Net spokeswoman said Wednesday.
The hard drive contains Social Security numbers, medical records and health information dating to 2002 for 1.5 million customers — past and present — in Arizona, Connecticut, New Jersey and New York, the spokeswoman said.
The data were compressed, but not encrypted. The information is formatted as images and requires a special computer program to be read, state and company officials said. Health Net plans to send out letters to its customers notifying them of the breach.
Attorney General Richard Blumenthal and Insurance Commissioner Thomas Sullivan each said he is investigating what happened, and why the company waited six months to report the incident.
The data breach is another in a series of information security lapses involving Connecticut residents in recent months. Most, including a large breach of People's United Bank customer information, have included bank records or Social Security numbers. The missing hard drive at Health Net is the first publicly reported, widespread release of patients' medical records, at least in recent state history.
"Health Net's incomprehensible foot-dragging demonstrates shocking disregard for patients' financial security, as well as loss of their highly sensitive and confidential personal health information," Blumenthal said in a prepared statement.
"My main concern is protecting the members and participating providers," Sullivan said. "We are currently working with Health Net to ensure adequate notification and protections for all involved."
Health Net suggests that customers with questions call the company phone number on the back of their benefits card, said Alice Chaves Ferreira, a spokeswoman for Health Net of the Northeast Inc.
"Health Net will provide credit monitoring for over two years — free of charge — to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service," Chaves Ferreira said.
The company didn't know what information was on the hard drive, which is why the information wasn't reported sooner, Chaves Ferreira said. Health Net conducted a lengthy investigation, including a forensic review by computer experts, she said.
It was only then that the company concluded the lost data included a vast trove of information.
Earlier this month, Anthem Blue Cross and Blue Shield of Connecticut reported that a laptop was stolen this summer in the Chicago area, compromising personal information of nearly 850,000 doctors, therapists and other health care providers in 50 states, including 19,000 in Connecticut.
Last year, Bank of New York Mellon lost computer tapes that jeopardized information on more than 600,000 state residents, including many account holders at People's United Bank.