In 2011, news about the loss of personal data

Unless it happened to you.

Dec. 26: Hackers obtain personal records for as many as

, especially gamers and social media users.

Dec. 25: The Anonymous collective claims to have stolen thousands of credit card numbers and other personal data from clients of Texas-based

a security think tank.

Dec. 24: Criminals take personal data for about 20,000 applicants for credit cards at China's

.

Dec. 23: The Virginia Department of General Services starts notifying 600 or more people that their Social Security numbers have been visible

Dec. 22: The Oregon Department of Human Services says someone

for about 300 people.

Those are just some of the known breaches reported recently.

In Oregon, repercussions are still echoing from

which acknowledged learning in January that as many 1.9 million current and former policyholders, including 124,000 Oregonians, could be affected.

The nonprofit

. A state investigation is under way into the reason for Health Net's delay in notifying its Oregon clients.

Health Net subscribers weren't notified of the lost data until March, and then, in August, the company notified the state that an additional 6,000 Oregonians were affected. And it sent corrective letters to 40,000 other state residents to tell them that, contrary to what they were told in March, their data may have been lost after all.

The delay was "completely, totally outrageous," said Jeremy Gray, a Health Net client who is also the benefits administrator for the Oregon State Public Interest Research Group (OSPIRG). "Health Net didn't do anything for three months. That seems weird to me."

"Time is of the essence"



, the state

opened an investigation into the Health Net breach. Investigators are examining whether the insurer complied with a relatively new Oregon law that requires companies or agencies to notify clients "in the most expeditious time possible" when it learns that their personal data may be lost or exposed.

That investigation is continuing, David Tatman, administrator of the state's Division of Finance and Corporate Securities, confirmed Thursday.

OSPIRG health care advocate Laura Etherton says the Health Net case is one of the first big tests of Oregon's law. "Is the law strong enough?" she asked. If consumers weren't told for two months that their personal information was exposed, that's two months when they weren't checking their credit reports or their billing statements. And in cases when data are lost or stolen, she said, "time is of the essence."

OSPIRG's Gray says the contractor Health Net hired to respond to queries has given inconsistent responses about whether members' data were compromised. He said he's had no contact from Health Net since March, even though he is responsible for informing OSPIRG staffers about their benefits.

The health care sector is seeing a startling growth in the number of reported breaches of personal data, driven by the increasing use of mobile devices, new federal requirements and, often, a failure by employees to focus on securing personal data, according to Portland's

, a data security solution firm.

ID Experts sponsored a patient privacy study released last month by

that found health care data breaches rose 32 percent last year, costing organizations $2.24 million each, on average.

Reacting to intrusions



Part of the reason for the sharp rise, said Richard Kam, ID Experts president, is that the health care sector has "so much less fraud detection" than there is in the financial services industry. Health care providers and insurers, generally, practice a "pay and chase" model of pursuing fraud, he said, meaning that most interdiction occurs after a violation has occurred.

At the same time, Kam noted, health care is highly regulated, making health sector participants more motivated to report breaches than, say, nurseries or makers of flat-panel screens. In fact, it's impossible to know how many firms or agencies expose private data, because many firms prefer to protect their reputations by concealing such lapses.

They know they risk the ire of clients and customers who learn that the company failed to protect their private information.

"Joe," a 58-year-old, Sebring, Fla., man interviewed by The Oregonian after he posted on

about his case of identity theft, still doesn't know how his personal information was hijacked. But he knows in excruciating detail how it was used. He agreed to discuss the matter on the condition that his name not be published, as he's still cleaning up the mess.

Just before Halloween, he found that data thieves had used his information to acquire a Sears MasterCard, a Macy's American Express card, a Nordstrom Visa card and individual store accounts at Bass Pro Shops, Kohl's, Mattress Giant and others. When retailers issued the fraudulent cards, he said, the thieves instantly charged them up to the limit. "They were experts," he said.

Joe took it upon himself to start calling the banks and retailers that issued the cards. He estimated last week that he's spent 20 hours on the phone so far -- "and I was probably on hold for 18 of those."

He said he is a careful consumer, shredding correspondence, checking ATMs before using them and avoiding dubious e-commerce sites. But it wasn't until he got a call asking whether he had charged $3,500 on his Visa card that he knew he had a problem. He didn't have a Visa card, and the charge occurred 200 miles from where he lived.

By being diligent, Joe hasn't suffered any losses. But he says, "when I go to the mailbox, I cringe a little."