HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Community Health Plan of Washington Announces 400,000-Record Data Breach

An unplugged security vulnerability at a business associate of Community Health Plan of Washington has resulted in the exposure of the protected health information (PHI) of almost 400,000 plan members.

Community Health Plan of Washington is now in the process of notifying all affected members that highly sensitive information including names, addresses, dates of birth, Social Security numbers, and health insurance information have been exposed and compromised.

The data breach was confirmed on November 30, 2016, although Community Health Plan of Washington first became aware of a potential breach on November 7 after a tip-off was received.

Staff at the health plan picked up a voicemail message from an individual who reported a vulnerability that had been discovered in the network of one of the health plan’s business associates. That vulnerability could be exploited to gain access to members’ data.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Community Health Plan of Washington followed up on the tip-off and contacted the firm in question, which is a subsidiary of NTT Data. The firm provides technical services to the health plan. Rapid action was then taken by the firm to confirm that the vulnerability existed and then correct the flaw to prevent data access.

A computer forensics investigator was hired to conduct a thorough analysis of the network and confirmed that the vulnerability had been exploited and that an unauthorized individual had accessed plan members’ PHI. It is unclear whether that individual was the same person that reported the vulnerability. At the time of writing, plan members’ data are not believed to have been used inappropriately. No reports of data misuse have been received by the health plan or its business associate.

Notification letters to affected plan members were delayed until the investigation into the data breach was completed and while the health plan set put the logistics in place to deal with the breach. A toll-free helpline for members has now been set up and credit monitoring services have been arranged.

According to a report in the Seattle Times, each member will receive an individual notification letter with an identification number that can be used to register for credit monitoring services with Kroll.

381,534 members of the health plan, which provides insurance through Medicaid throughout Washington state, have been affected by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.