Brent Hunsberger reports that Health Net has sent out corrected notifications following the discovery of missing drives in January:
Health Net Inc. said a data breach discovered in January affected more people than originally thought and that it had erred in telling thousands of former and current members that their Social Security numbers were not compromised.
The insurer refused to say how many people nationwide it was alerting to the oversight. Health Net originally said the breach affected nearly 2 million nationwide, including 124,000 in Oregon.
But in an e-mail last month to the Oregon Insurance Division, Health Net Oregon president Chris Ellertson said 40,000 of 124,000 Oregonians were being sent corrected notices. Health Net had also identified an additional 6,300 Oregonians whose personal information — including names, addresses, Social Security numbers and health and financial information — was on the computer drives discovered missing from a data center in January.
That brought the total affected current and former members and employees in Oregon to 130,000. The company had 105,000 current members in 2009.
Health Net’s chief operating officer, James Woys, apologized for the mistake in a July 27 letter to customers, saying the original analysis of the breach was flawed.
Read more on The Oregonian.
This is not the first breach in which we have seen corrected notices or the discovery of more people affected following initial notification, and it undoubtedly will not be the last. But as much as I endorse companies taking a reasonable amount of time to sort out who was affected and how before sending out notices, six months does not strike me as reasonable, and I wonder whether the company will incur any penalties for that from states.