Investigations Mount into LifeWise HIPAA Breach

Share this article on:

The LifeWise Health Plan of Oregon is being investigated by Washington State and Alaska in the wake of the huge HIPAA breach to affect its parent organization, Premera Blue Cross. Now the state of Oregon has decided to conduct an investigation into the breach after it was determined that approximately 250,000 state residents had been affected.

The attack on Premera Blue Health and LifeWise Health Plan – which shared the same IT infrastructure for claims – first occurred in May 2014. Data going back to 2012 was potentially obtained by the thieves. However there was no evidence of data being copied leading experts to believe the attack was highly sophisticated in nature and that data access was somehow masked.

The volume of data potentially exposed – and its detailed nature – make this hacking incident the largest ever reported and the most serious and by some distance. Last year 4.5 million records were exposed in a hacking incident at Community Health Systems and the Tricare data breach in 2009 exposed 4.9 million records. In total, 11 million records were exposed in the Premera/Lifewise HIPAA breach, creating more victims than the combined total of the previous two largest recorded HIPAA breaches.

State HIPAA Breach Investigations

When investigations need to be conducted into organizations that have suffered data breaches and have potentially violated HIPAA rules, external cybersecurity firms are usually employed to conduct the investigations. This ensures the investigations are conducted thoroughly and without bias.

The investigations are likely to concentrate on the response to the data breach, and whether affected individuals were notified in a reasonable time frame. Also likely to be assessed will be the steps the health plan has taken to mitigate any damage caused and prevent future breaches from occurring.

Oregon Insurance Commissioner, Laura Cali, issued a statement earlier this week confirming the launch of an investigation and said “Oregon takes the protection of personal identifying information very seriously and this investigation will closely scrutinize the data security practices of LifeWise,” she went on to say “Oregon will be looking at how LifeWise learned about the breach, what process they used to identify affected consumers, and the adequacy of the consumer protections offered to those affected.”

The Office for Civil Rights is has also taken note of the breach and will be investigating to determine if there have been any privacy rule violations, while the FBI is investigating the attack to attempt to find the individual(s) responsible to bring them to justice and secure the data.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On