Insurer Health Net is reporting to insurance officials in four states the disappearance of a hard drive with protected health information of 1.5 million covered members. The reporting comes six months after the Los Angeles-based insurer learned the hard drive was missing.

The data breach affects individuals in Arizona, Connecticut, New Jersey and New York. Data on the hard drive includes identifiable medical records and Social Security numbers. Health Net plans to notify affected individuals.

Some 446,000 of those individuals live in Connecticut, where the state attorney general and insurance commissioner are investigating, according to the Hartford Courant. Insurance Commissioner Thomas Sullivan on Nov. 18 sent a letter to Health Net requesting information covering eight areas, including the long delay in reporting the breach. Sullivan is requiring that Health Net provide adequate credit monitoring protection through a specific company to affected individuals in Connecticut for two years.

According to Health Net, data on the hard drive was not encrypted, but is invisible without the use of specific software. The company told the Hartford Courant a lengthy investigation that involved a forensic review to determine what information was on the hard drive accounted for the delay in reporting the breach.

New federal rules mandated under the American Recovery and Reinvestment Act requiring "timely" notification of certain breaches of health information now are effective with a compliance deadline of Feb. 22, 2010.

This article can also be found at HealthDataManagement.com.