Okay, I’ve been known to be a bit harsh at times in commenting on breaches, but even I think this implied criticism in reporting by Brian T. Horowitz on eWeek is a bit too much:
Insurer Health Net waited until March 14 to disclose a data breach discovered on Jan. 21 involving the loss of nine server drives and the data of 2 million customers, employees and health care providers.
Health Net, a provider of health insurance to about 6 million people across the United States, has come under fire for reporting the loss of nine server drives at its data center in Rancho Cordova, Calif., nearly two months after it occurred.
You can read the whole article on on eWeek.
So they should have jumped to have notified people before conducting their own search for the missing server drives? And it shouldn’t take them any time at all to identify everyone who needed to be notified, to line up credit monitoring services, prepare a notification letter for mailing, etc. etc. ?
What do people think is reasonable these days?