Community Health Plan of Washington hit by a data breach

The Community Health Plan of Washington (CHPW) – provider of health insurance in Washington – issued a press release on the 21^st of December concerning a data breach that may have affected up to 400,000 current and former members of the organisation.

This is yet another large data leak involving a healthcare sector – usually the biggest culprits in terms of data leaks, which is made worse by the sensitive nature of the data that can be breached.

The data breach may have exposed personal information which includes:

• Names;
• Addresses;
• Dates of Birth;
• Social Security Numbers; and
• “coding information relating to health care claims”.

Within the press release, it’s reported that they were made aware of the breach on the 7^th of November. They said they immediately informed the FBI and several state regulators, including the Washington Office of the Insurance Commission and the Washington State Health Care Authority. The organisation took “immediate measures to disable servers and a digital forensics team was engaged to investigate”. However, one can’t help but wonder why the members whom the personal information belonged to weren’t also immediately notified.

An unauthorised access of personal information

On November 30^th, the forensic experts confirmed that there was indeed an unauthorised access of members’ personal information. The press release also reported that the breach happened because outsourced security was in a vulnerable state. In that claim, they make it sound like it wasn’t their fault, but the fault of their external services providers.

However, the CHPW cannot pass on the blame so easily and play the victim when they are the ones who are ultimately responsible for their organisation’s security.

Victims informed

CHPW emailed all 381,534 current and former members, apologetically informing them of the unfortunate breach and assuring them were doing all that they could to handle the situation. In a gesture of good will, they offered credit and monitoring services to all with a personal login for 12 months free of charge. They also say that they have engaged with services providers to increase their security and ensure another breach won’t happen again.

Not having adequate security to protect is not only irresponsible and reckless, but it’s also disrespectful. Data breaches are not something to be shrugged off. The financial and psychological harm can be extensive, with the latter causing potentially life long consequences.

Here in the U.K., the Information Commissioner’s Office would likely investigate a breach like this and may well find that it breached Data Protection laws by not having appropriate security to protect their members’ personal information.