Health Net, IBM - 2011

Nine disc drives that contained sensitive health information went missing from Health Net's data center in Rancho Cordova, California.  The drives contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information. The 1.9 million victims include 622,000 California residents enrolled in Health Net HMOs, 223,000 Californians enrolled in Health Net PPOs and people enrolled in Medicare and other plans. The drives were discovered missing on January 21, but affected individuals were not notified until March 14.UPDATE (06/07/2011): A class-action lawsuit seeks $5 million from Health Net Inc. and its vendor IBM.  The complaint alleges that Health Net and IBM breached their duty of confidentiality and negligently allowed the release of highly personal and confidential information. The complaint alleges violation of California's Confidentiality of Medical Information Act, Cal. Civ. Code § 56; Cal. Civ. Code § 1798.2, which concerns the unauthorized disclosure of customer records; Cal. Bus. & Prof. Code § 17200, California's unfair-competition law; and public disclosure of private facts.  The lawsuit is seeking injunctive relief, compensatory damages, declaratory relief, and attorney fees and costs.  The citation is Bournas v. Health Net Inc., No.2_11-CV-01262, complaint filed (E.D. Cal. May 11, 2011).UPDATE (08/09/2011): Health Net's chief operating officer apologized to customers after it was discovered that the original analysis of the breach was flawed.  Around 124,000 Oregon residents who were current members, former members, or employees were believed to have been affected.  Health Net discovered that an additional 6,300 Oregonians had their personal information on the stolen computer drives.