Major Breach: Insurer Blames System IntegratorCommunity Health Plan of Washington Says Incident Affected Nearly 400,000
Community Health Plan of Washington, a not-for-profit insurance company, says a security vulnerability on the computer network of a business associate that provides it with technical services resulted in a breach affecting nearly 400,000 individuals.
CHPW, founded by a network of community and migrant health centers in the state of Washington, says it learned on Nov. 7 of a data security incident that may have affected CHPW member records stored by the technology services vendor.
"The data security incident occurred through a server maintained by Transaction Applications Group Inc., doing business as NTT Data, who processes claims for CHPW," CHPW says in a statement provided to Information Security Media Group. "CHPW's server was not accessed."
CHPW learned of the incident, which potentially affected 381,534 individuals, when "an individual called our customer service number and claimed to have accessed member records without authorization," CHPW says in its statement.
"CHPW took immediate measures to disable the server which stored those records. CHPW launched an investigation, and a digital forensics firm was engaged to determine what happened and if member records were accessed without authorization," the statement says.
On Nov. 30, the investigation confirmed that records had been accessed without authorization. "The investigation later revealed that the initial unauthorized access occurred on Jan. 16, 2016, and [the investigation] continued at that point to determine what records were accessed. CHPW reported the matter to the FBI and is working with them to protect our members' data," the insurer says in its statement.
CHPW says it also notified the Washington State Health Care Authority and the Washington State Office of the Insurance Commissioner of the incident.
Information that appears to have been compromised in the breach includes names, addresses, dates of birth, Social Security numbers, and certain coding information related to healthcare claims, the insurer's statement says.
A spokesman for NTT Data told the The Seattle Times that upon learning of the incident, the company took immediate steps to identify the vulnerability and eliminated it. NTT Data did not immediately respond to ISMG's request for comment.
CHPW is offering affected individuals free credit and identity monitoring services for one year and is "working with its technology services provider to increase the security of all CHPW member information to prevent similar incidents."
One of Largest 2016 Breaches
If details of the alleged security mishap are confirmed by the U.S. Department of Health and Human Services' Office for Civil Rights, the incident could potentially rank among the largest 2016 health data breaches on OCR's "wall of shame" website listing breaches affecting 500 or more individuals.
As of Dec. 22, the largest breach appearing on the federal tally for 2016 was a hacking incident reported by Banner Health in August that affected 3.62 million individuals.
The largest breach posted to the wall of shame in 2016 involving a business associate was a hacking incident reported in August by Newkirk Products Inc. that affected 3.5 million individuals.
Lengthy delays in breach detection or notification, as apparently occurred in the Community Health Plan incident, are commonplace.
"The time delay is frustrating and should encourage any company to do more regular scans to try to identify any such problems," notes privacy attorney Kirk Nahra of the law firm Wiley Rein.
"Business associates obviously are a risk for any company - and, mathematically, a bigger risk than the covered entity itself simply because of the number of vendors," he says. "There's obviously no reasonable way around having vendors. So this is a lesson of sorts to any company: Monitor more closely, pay attention to unusual activities, report upstream as soon as you can, etc."
Kate Borten, founder of security and privacy consulting firm The Marblehead Group, notes: "It is definitely true that organizations - both covered entities and BAs - underreport breaches since many go undetected. In cases like this, discovery happens only by chance, and not through the organization's diligence.
"Data security breaches are widespread, affecting even organizations we assume implement the human and technical resources expected for good security."
Breaches involving business associates "are far too common an occurrence within our healthcare system," says Dan Berger, CEO of security consulting firm Redspin.
"Although business associates are now directly held to the same HIPAA security standards as covered entities, covered entities generally lack any real visibility into the security safeguards BAs have in place," he says. "The fact that it took 11 months for the CE to learn about the incident - and even then only allegedly through an anonymous caller - exposes the lack of breach detection capabilities at the BA."
Covered entities need to be "very proactive in their relationships with BAs" to get a better handle on how these vendors are protecting patient PHI, Berger says. "It is not sufficient that a BA agreement is in place; CEs should demand evidence that the BA has the policies, procedures, systems and training in place to protect patient data. At a minimum, they should ask to see the results of the BA's annual HIPAA security risk assessment and gain assurance that any findings therein have been remediated."
Keith Fricke, partner and principle consultant at tw-Security notes that "news of this [CHPW] breach aligns with metrics HHS publishes each quarter identifying that roughly 30 percent of reported healthcare breaches are due to business associates."
Fricke advises healthcare organizations to "start with risk analyses on business associates that have direct remote access into your network or are vendors to whom you have entrusted the storage or processing of large amounts of PHI. Also, make sure cyber insurance policies and BA contracts define coverage and responsibilities, respectively, when a breach is the result of a business partner."