Bob Young reports:
Almost 400,000 current and former members of the Community Health Plan of Washington have had personal information, including Social Security numbers, exposed in a data breach.
The nonprofit, which provides health insurance through Medicaid in Washington, is sending letters to 381,534 individuals Wednesday notifying them of the invasion and steps they can take to protect themselves with help from Community Health Plan of Washington.
Read more on The Seattle Times. The incident appears to involve an unnamed business associate/vendor that is a subsidiary of NTT Data.
UPDATE: It appears that this breach is yet another caused by a public FTP server, and that it was discovered by a security researcher who reported it to them. Interesting that the reporting says “invasion,” and I’ll be interested to see how the covered entity explains this breach to its members. In the meantime, I’m changing the tags on this incident from “hack” to “exposure.”
UPDATE 2: And now we know the name of the BA: Transaction Applications Group Inc., doing business as NTT Data, who processes claims for CHPW. Read more on GovInfoSecurity. It sounds like CHPW may be building a case of hacking against the researcher.
CHPW blames NTT Data, a subsidiary of Nippon Telegraph and Telephone.
CHPW says they reported breach to HHS.
But wall of shame does not list it.
Except that the Peachtree Orthopaedics breach has the same size and was reported a few days earlier.
And newspaper accounts in Atlanta say that breach involved a ransom demand.
But Justin S says he noticed the records were available to all in in unsecured anonymous FTP server.
Was this an instance of careless, ransom, or state-sponsored? (Could be all three)
Anyone know what gives here?
1. HHS is often a tad slow in showing breach reports they’ve received – sometimes by weeks. Be patient, it will show up.
2. Peachtree Orthopedics was reported to HHS on November 18, after they confirmed it 9/22. CHPW first learned of their breach on Nov. 7. They didn’t report it to HHS until around Dec. 18.
3. There’s lots of coverage on my site about the Peachtree hack and ransom demands, beginning in August when I first suspected they were a victim. Media in Atlanta were slow to report what my readers knew months ago.
4. The CHPW appears to be human error by the vendor/BA.