The California Office of the Attorney General disclosed a data breach affecting Health Net, occurring between March 4, 2021, and September 12, 2021. Unauthorized actors gained access to sensitive member information, including names, dates of birth, healthcare ID numbers, and clinical records. Approximately 1,000 individuals were impacted by the incident. The breach exposed personally identifiable information (PII) and protected health information (PHI), raising concerns over potential identity theft, fraud, or misuse of medical data. While the exact method of intrusion was not detailed, the prolonged duration of the breach (over six months) suggests a sustained vulnerability in Health Net’s systems. The incident underscores the critical need for robust cybersecurity measures in healthcare, where the exposure of such data can have severe repercussions for patient privacy and trust in the organization. No ransomware was reported in this case, and the focus remained on the unauthorized access and exfiltration of customer data.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-548826
TPRM report: https://www.rankiteo.com/company/health-net
"id": "hea005091825",
"linkid": "health-net",
"type": "Breach",
"date": "3/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,000',
'industry': 'Healthcare',
'location': 'California, USA',
'name': 'Health Net',
'type': 'Healthcare Insurance Provider'}],
'data_breach': {'data_exfiltration': 'Yes (unauthorized access)',
'number_of_records_exposed': '1,000',
'personally_identifiable_information': 'Yes (names, dates of '
'birth, healthcare ID '
'numbers)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2021-09-12',
'date_publicly_disclosed': '2021-12-22',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Health Net. The breach occurred between '
'March 4, 2021, and September 12, 2021, involving unauthorized '
'access to member information, including names, dates of '
'birth, healthcare ID numbers, and clinical information. '
'Approximately 1,000 individuals were affected.',
'impact': {'data_compromised': ['Names',
'Dates of birth',
'Healthcare ID numbers',
'Clinical information'],
'identity_theft_risk': 'High (PII and healthcare data exposed)'},
'references': [{'date_accessed': '2021-12-22',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA (Health '
'Insurance Portability and '
'Accountability Act) '
'violations',
'California Consumer '
'Privacy Act (CCPA) '
'notification '
'requirements'],
'regulatory_notifications': 'Reported to California '
'Office of the Attorney '
'General'},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Health Net Data Breach (2021)',
'type': 'Data Breach'}