A breach at Community Health Plan of Washington (CHPW) highlights how some breaches may never actually be reported or may remain hidden until a more dangerous breach occurs.
A press release dated December 21, 2016 from Community Health Plan of Washington provided details of a large breach affecting nearly 400,000 individuals. CHPW first learned of the breach on November 7, but the investigation revealed the initial unauthorized access occurred on January 16. For nearly 11 months, CPHW did not even know that a breach had occurred.
CHPW provided more information to Information Security Media Group about the incident. CHPW learned of the incident when someone notified customer service that they were able to access member information without authorization. Through the investigation, CHPW discovered that the incident occurred through a server maintained by NTT Data.
CHPW states that their server was not accessed. However, CHPW took immediate steps to disable their server until the investigation could determine what was accessed. NTT Data told the Seattle Times that they, too, took measures to reduce the impact as soon as they learned about the incident.
A cybersecurity firm, Kroll, has been retained to instruct members on what to do if they feel their identities have been stolen. CHPW set up a phone line for members to call and ask questions. Additionally, members can sign up for a free year of credit monitoring.
The What If?
This case highlights the possibility that many breaches are never actually reported. CHPW became aware of their server issue because someone outside of the organization notified them. If CHPW was never notified, the issue may have continued leaving protected health information (PHI) accessible to unauthorized individuals for a prolonged period of time.
Other news reports bring up similar issues. A recent article dated January 3 details how Chris Vickery, a security researcher with MacKeeper, found U.S. Department of Defense information on psychologists and doctors accessible. Without Vickery’s notification, that information could have been left out there for a malicious attacker to find. In another report, Kaiser Permanente found that one of their computers had been infected with malware for more than two and a half years before it was discovered in 2014.
What Do We Do About It?
The concern in all of this is that your organization could potentially already have PHI easily accessible to ransomware and other attackers due to an unknown server or system issue. This is where audits and log monitoring come into play. Any organization that handles protected health information (PHI) should have auditing software on their systems and servers, and logs should be reviewed frequently for suspicious activity. Firewalls should be set up to reduce incoming traffic to the network. That might mean restricting certain websites.
For more suggestions, start your HIPAAgps account today and learn more about how to protect yourself from breaches!