HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Investigations Mount into LifeWise HIPAA Breach

The LifeWise Health Plan of Oregon is being investigated by Washington State and Alaska in the wake of the huge HIPAA breach to affect its parent organization, Premera Blue Cross. Now the state of Oregon has decided to conduct an investigation into the breach after it was determined that approximately 250,000 state residents had been affected.

The attack on Premera Blue Health and LifeWise Health Plan – which shared the same IT infrastructure for claims – first occurred in May 2014. Data going back to 2012 was potentially obtained by the thieves. However there was no evidence of data being copied leading experts to believe the attack was highly sophisticated in nature and that data access was somehow masked.

The volume of data potentially exposed – and its detailed nature – make this hacking incident the largest ever reported and the most serious and by some distance. Last year 4.5 million records were exposed in a hacking incident at Community Health Systems and the Tricare data breach in 2009 exposed 4.9 million records. In total, 11 million records were exposed in the Premera/Lifewise HIPAA breach, creating more victims than the combined total of the previous two largest recorded HIPAA breaches.

State HIPAA Breach Investigations

When investigations need to be conducted into organizations that have suffered data breaches and have potentially violated HIPAA rules, external cybersecurity firms are usually employed to conduct the investigations. This ensures the investigations are conducted thoroughly and without bias.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The investigations are likely to concentrate on the response to the data breach, and whether affected individuals were notified in a reasonable time frame. Also likely to be assessed will be the steps the health plan has taken to mitigate any damage caused and prevent future breaches from occurring.

Oregon Insurance Commissioner, Laura Cali, issued a statement earlier this week confirming the launch of an investigation and said “Oregon takes the protection of personal identifying information very seriously and this investigation will closely scrutinize the data security practices of LifeWise,” she went on to say “Oregon will be looking at how LifeWise learned about the breach, what process they used to identify affected consumers, and the adequacy of the consumer protections offered to those affected.”

The Office for Civil Rights is has also taken note of the breach and will be investigating to determine if there have been any privacy rule violations, while the FBI is investigating the attack to attempt to find the individual(s) responsible to bring them to justice and secure the data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.