For the 2nd time in less that 2 years, Health Net has lost a copy of the medical records of their customers (Infoweek.com article). This time it is nearly 2 million records. In 2009, they were fined and ordered to pay for 2 years of credit monitoring (must have been about time to renew the credit monitoring subscription).
You have to begin to doubt the company when they say "Protecting the privacy of our members is extremely important to us," Health Net said. "We apologize for any inconvenience or concern this may cause our members." The article also said "Health Net's statement suggested that the drives may have been misplaced, not stolen. A spokesman called them "unaccounted-for server drives." The company said it was continuing to investigate, and "out of an abundance of caution" it decided to notify "the individuals whose information is on the drives." "
The company recently outsourced their complete IT operations to IBM. This incident highlights the importance, as company look for ways to reduce costs by outsourcing, of make sure all the security policies and procedures are review and meet your companies standards. Make sure the security breach notification procedures are outlines as to which company has responsibility for specific tasks. Having the Information Security involved early in the Request for Proposal (RFP) process can only help address some of the issues that might have been avoided by Health Net.