A health insurer lost 1.5 million patient records last May but waited six months to disclose the incident.

The data, which was stored on a portable disk drive that disappeared from the insurer’s office, was unencrypted and included patient Social Security numbers, bank account numbers and health data, according to the Hartford Courant. The disk also contained personal information on at least 5,000 physicians.

Health Net discovered the loss in May but never informed patients, law enforcement or government entities, despite data breach laws in some states that require data spillers to notify victims and state officials when residents are affected by a breach. The insurer finally sent a letter to Connecticut’s attorney general and the state’s Department of Insurance this week.

Health Net claimed it took six months to determine what data was on the missing disk. It said that data on the disk was compressed and stored in an image format that required special software to view, which was available only to HealthNet.

“Another day, another data breach,” said Connecticut Attorney General Richard Blumenthal in a statement. “But companies still don’t get it: Personal information is like cash and should be guarded with equal care.”

Blumenthal vowed to pursue an investigation and legal action against the insurer. About 450,000 of the patients affected by the data loss are residents of Connecticut, which has a breach notification law. Patients in Arizona, New Jersey and New York were also affected.

“My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal told the Hartford Business Journal. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws. I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”

Full story