Companies in every sector of the economy including health care have begun moving operations and sensitive data to the cloud. As the trend accelerates, some experts have questioned whether the cloud is a safe place to store personal data.

What is no longer in question though, is that client-server systems sitting in providers’ offices are inherently unsafe places for such data. Every one of the largest breaches of patient confidential information that took place last year for example, could not have happened had the data been stored in the cloud.

And those events pale in comparison to the massive breach of patient data that was announced last week by company officials from Health Net. These officials reported that a portable, external hard drive containing 7 years worth of personal, medical and financial information on 1.5 million customers had been lost.

The wayward hard drive was last seen in the company’s Northeast headquarters in Shelton, Connecticut. It contained Social Security numbers, medical records and bank account information dating back to 2002.

About a third of the missing files were from Connecticut residents. Customers from Arizona, New Jersey and New York were also affected.

Data on the missing drive were not encrypted but do require a special computer program to read them (presumably available at Radio Shack). Remarkably, to this date, Heath Net has yet to formally inform affected individuals that their confidential information may have been compromised.

That is only half the story, however. It turns out that the hard drive was lost 6 months ago.

Health Net spokesperson Alice Chaves Ferreira explained that the managed care giant didn’t report the incident sooner because it didn’t know what information had been lost. It was only after a review by computer experts that Health Net realized the scope of the loss.

“Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information,” Connecticut’s Attorney General Richard Blumenthal said in a prepared statement.

“I am outraged and appalled by Health Net’s…failure to swiftly inform authorities and consumers,” Blumenthal added.

Connecticut law requires that organizations notify consumers and state officials about data breaches “without unreasonable delay.” The company’s actions “may have violated state and federal laws,” Blumenthal said. “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”

Meanwhile, state Insurance Commissioner Thomas Sullivan said he would require that Health Net extend credit protection monitoring through a private company that provides identity-theft protection services.

Ferreira confirmed this will happen. “Health Net will provide credit monitoring for over 2 years — free of charge — to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service,” she said.

Health Net officials said they had no evidence that anyone has misused the missing data.

The Health Net data breach comes less than a month after Blue Cross and Blue Shield reported that a laptop had been stolen this summer in the Chicago area, threatening the personal information of 850,000 health care providers in 50 states.

By coincidence, Blumenthal had just announced plans to investigate the Blues’ delays in announcing that breach when the Health Net story hit the wires.

Patient medical records being cared for by providers using the Practice Fusion EHR are stored in the salesforce.com cloud, a $100 million HIPAA-compliant beast that has never experienced a breach. These providers have no need to store patient data on site in hard drives, laptops or anything else.

Glenn Laffel MD, PhD
Sr. Vice President, Clinical Affairs, Practice Fusion