There was a tiny blurb in the Sunday Arizona Republic regarding a request by the Arizona Attorney General to Health Net regarding a data breach notification. It seems they delayed telling anyone that data was stolen or missing for six months or so:

Attorney General Terry Goddard wants a Connecticut-based insurance company to tell Arizona policyholders whether their personal, medical or financial information was lost or stolen in a security breach six months ago. Goddard’s office says a hard drive containing personal data on 316,000 current and former Health Net policyholders from Arizona has been missing since May from the company’s headquarters in Shelton, Conn. He says the company did not notify the Arizona Department of Insurance until Wednesday.

It’s not clear whether this has anything to do with the breach reported back in February, but from the details provided this appears unrelated, as that was a case of inadvertent disclosure. I did a little more digging and it appears a few other states are getting the same letter, as mentioned in this Computerworld post Health Net says 1.5M medical records lost in data breach: Connecticut A.G. calls six-month delay in reporting loss ‘incomprehensible’.

A hard drive with seven years’ worth of personal financial and medical information on about 1.5 million customers of Health Net of the Northeast Inc. was reported missing to state officials yesterday – six months after the drive went missing.

Excuse me, but what the $%(@ were the details of 1.5 million Health Net customers doing on a portable device? Is there really a major U.S. firm out there without laptop & media encryption mandated?

This comes right on the heels of the BofA data compromise I mentioned last Friday, which also does not appear to have been disclosed. And if Health Net’s attorney’s interpreted Arizona’s law the same way I did, it’s not clear they felt compelled to.

If you didn’t read Rich’s post on The Anonymization of Losses: A Market Forces Failure , or Bruce Schneier’s post Security in a Reputation Economy, now is a good time. Both are excellent and both discuss the hidden costs of lax security such as this, along with the lack of market forces necessary to avoid stupid @$$ stuff with patient data. It appears that whatever checks and balances are supposed to be in place to prod health organizations into securing personal, financial, and medical data are absent. If there is no penalty, why change?