Community Health Plan of Washington will start notifying almost 400,000 current and former members that their personal information, including Social Security numbers, were accessed in a recent data breach.

Share story

Almost 400,000 current and former members of the Community Health Plan of Washington have had personal information, including Social Security numbers, exposed in a data breach.

The nonprofit, which provides health insurance through Medicaid in Washington, is sending letters to 381,534 individuals Wednesday notifying them of the invasion and steps they can take to protect themselves with help from Community Health Plan of Washington.

There’s no evidence yet of any harm to members, said Marilee McGuire, its chief operating officer. The organization confirmed the breach Nov. 30 after a forensics investigation and notified the FBI and state regulators, including the Office of the Insurance Commissioner, McGuire said.

“Our members put our trust in us and this has been very upsetting to me personally,” she said.

The organization waited until now to notify members, McGuire said, to allow time to hire a consumer security firm, line up translation services and set up a call center for anxious members to contact.

The incident began when someone left a phone message with the agency on Nov. 7. McGuire said she doesn’t have information about that person’s identity or motive. The caller, McGuire said, just indicated that they had identified a vulnerability in the computer network of the firm that provides the organization with technical services.

That company is a subsidiary of NTT Data, a global firm with 100,000 employees in 50 countries, according to its website. McGuire said the Community Health Plan of Washington has a longstanding relationship with the company. A spokesman for NTT Data said upon learning of the incident, the company took immediate steps to identify the vulnerability and eliminated it.

After the phone message last month, the organization hired a forensics investigator who confirmed that members’ records were accessed without authorization. Those records include names, addresses, dates of birth, Social Security numbers and health-claims information. Notes that health providers make after patient visits were not included in the hacked information, McGuire said.

The organization then hired Kroll, a cybersecurity firm to help instruct members on what to do if they suspect their identities have been stolen. Every member identified in the forensics investigation will receive a customized letter with an individual identification number assigned by Kroll. Members can sign up for a free year of credit monitoring, McGuire said.

“We wanted to make sure all those logistics were in place,” she said. “Those things take time unfortunately.”

A spokeswoman for the state Office of the Insurance Commissioner (OIC) said “the sooner the better” when it comes to notifying consumers about hacking and possible identify theft. But Stephanie Marquis of the OIC said “we’re not seeing anything out of the normal” with the Community Health Plan of Washington’s response. Marquis encouraged all affected members to take advantage of the free credit monitoring.

Premera Blue Cross, based in Mountlake Terrace, announced last year that 11 million of its customers were possibly vulnerable after a cyberattack.

State Insurance Commissioner Mike Kreidler said he was concerned about the six-week delay between Premera’s learning of the breach and making it public.

The insurer faced more than three dozen class-action lawsuits after the breach.

McGuire said the expense of the response is still being tallied and she expects NTT Data to absorb some of the costs. She said members would “absolutely not” be charged for any services related to the breach, nor would taxpayers.

The Community Health Plan of Washington was founded in 1992 by a network of community and migrant health centers, McGuire said. It is the insurance arm of 19 community health centers on the state and their 130 clinics, McGuire said.