Hackers had access to protected health information and other information of nearly 400,000 members of Community Health Plan of Washington over a 10-month period, the organization says.
The information was held by a server operated by a technology services provider, which was not identified by Community Health Plan. The breach was discovered on November 7 and the server was disabled; members of the plan and the media were notified of the breach on December 20.
FINRA faulted Lincoln Financial Securities for failing to protect client data. Benjamin Howell An internal investigation, assisted by a digital forensics firm, determined that the initial access to records dated back to January 16.
In a letter to members, Community Health Plan said it disabled access to the hacked server as soon as the breach was discovered. “We also notified the Washington State Health Care Authority and Washington State Office of the Insurance Commissioner, and we reported the matter to the Federal Bureau of Investigation (FBI).”
A plan spokesman said its investigation determined that hackers were able to access names, address, dates of birth, Social Security numbers and some coding information related to healthcare claims.
In addition to continuing to work with authorities on the breach, Community Health Plan is offering credit and identity monitoring services for 12 months at no cost to members, as well as providing them with additional information to protect identity information.
‘We are also working with our technology services provider to increase the security of all CHPW member information to prevent similar incidents in the future.”
Identity monitoring services being offered to members include credit monitoring, identity consultation and identity restoration. The service also will monitor internet sites at which “criminals buy, sell and trade personal information; you’ll be promptly notified if evidence of your identity information being traded or sold is discovered.”
The not-for-profit health plan is the only entity in the state founded by local community health centers; the breach appears to involve the information of almost all of Community Health Plan’s members.