Officials in Connecticut are investigating the disappearance of a disk drive from an insurer’s office that contains the personal information of 1.5 million members in four states.

Health Net Inc., which provides benefits to more than 6 million people nationwide, recently informed Connecticut’s insurance department and attorney general that the unencrypted, portable drive was missing from its Shelton, Conn. office.

A spokesman for Health Net told IFAwebnews.com the disk drive contained personal information gathered over the last seven years from 446,000 members in Connecticut, about 340,000 members each in New Jersey and New York, and the remainder from Arizona.

In a statement, Health Net said the data on the drive cannot be accessed without special software. Nonetheless, the insurer is providing affected members with two years of free credit monitoring and will assist any customer who has experienced suspicious activity, identity theft or health care fraud between May, when the insurer said the drive disappeared, and the time they sign up for the identity protection service.

“To date, we have not had any reports of misused data,” the insurer told IFAwebnews.com.

Richard Blumenthal

The fact that the disk drive disappeared in May and was just recently reported to Connecticut authorities was not lost on the state’s attorney general, Richard Blumenthal, who said he was “outraged and appalled” by the company’s actions.

“This information vanished six months ago, but Health Net is only now informing authorities and consumers, an inexcusable and inexplicable delay,” Blumenthal said in a statement. “Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information.”

Blumenthal said his office would investigate how the drive went missing and why the company kept officials and its customers “in the dark” for six months.

“The company’s failure to safeguard such sensitive information and inform consumers of its loss – leaving them naked to identity theft – may have violated state and federal laws,” he said. “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”

In a statement to IFAwebnews.com, Health Net of Connecticut said that due to the nature of the files saved on the drive, “we were initially unable to determine what information was on it and had to conduct a lengthy investigation, including a detailed forensic review by computer experts.”

The data breach is also under investigation by the Connecticut Insurance Department, according to its commissioner, Thomas R. Sullivan, who said his main concern “is protecting the members and participating providers.

“Rest assured that my office is committed to a thorough review of this situation, and will determine next steps and appropriate enforcement action,” Sullivan said in a statement.

Sullivan has requested detailed information from Health Net on the circumstances that led to the drive disappearing, documentation of Health Net’s established security procedures and changes in security planning the insurer plans to avoid a similar incident in the future.