Hack of business associate of Providence Health Plan exposes data of 122K

Providence Health Plan is notifying as many as 122,000 health plan members that their insurance information may be at risk.

The health plan—the insurance arm of the Providence Health and Services delivery system in the Pacific Northwest—was notified by Dominion National, a business associate, of possible unauthorized access of its computer servers.

Providence Health Plan-CROP.jpg

On April 24, Dominion National was investigating an internal alert and determined an unauthorized party may have accessed some of its servers, and the access could have occurred as early as August 2010. The business associate notified law enforcement, cleaned affected servers, implemented advanced monitoring software and retained a cybersecurity firm.

Substantial amounts of protected health information are believed to have been compromised, with the most sensitive data including Social Security numbers, names, dates of birth, member ID numbers, bank account and routing numbers, member identification numbers, subscriber numbers and taxpayer identification numbers.

“Dominion National and Providence Health Plan have no evidence that any information was actually viewed, accessed or has been misused,” the insurer told affected members in a breach notification letter. “However, out of an abundance of caution and as required by federal privacy laws, we want to let you know that this happened and assure you that we take it very seriously.”

Dominion National is handling the breach notifications on behalf of the health plan. Affected individuals will be offered information on how to protect health information and other types of data, and Dominion National is offering members two years of credit monitoring and fraud protection services from data security firm ID Experts. A call-in center for affected persons has been established.

The Department of Health and Human Services’ Office for Civil Rights, which enforces the HIPAA privacy and security rules, strongly advises those who have had a data breach to apologize to affected individuals. “We regret any inconvenience or concern this may cause you,” affected persons were told. “We want you to know that protecting your information is incredibly important to us, as is helping you through this situation by providing you with the information and support you need.”

For reprint and licensing requests for this article, click here.