Equipment Benefits Administrator Reports Data BreachWhat Can Covered Entities Do to Help Prevent Falling Victim to BA Breaches?
A Michigan-based administrator for durable medical equipment benefits is the latest business associate to report a large health data breach affecting patients as well as healthcare providers.
In a July 12 statement, Madison Heights, Michigan-based Northwood Inc. says that on May 6 it discovered "suspicious activity" involving an employee email account.
"Working together with a leading computer forensics expert, our investigation determined that an unauthorized individual or individuals accessed the email account between May 3, 2019 and May 6, 2019," the statement says.
"Because Northwood was unable to determine which email messages in the account may have been opened or viewed by the unauthorized actor, we reviewed the contents of the entire email account to identify what personal information was stored within it."
Northwood says that on June 19, it determined that the affected email account contained information related to certain individuals who received durable medical equipment either supplied or managed by Northwood. The type of information affected varies for each patient, but could include name, address, date of birth, dates of service, provider name, medical record number, patient identification number, medical device description, diagnosis, diagnosis codes, treatment information, member health plan identification, and in a very small number of instances, Social Security numbers and driver's license number. Health insurance provider names were also impacted for healthcare plan members, Northwood adds.
Also contained in the exposed email account, the company says, was information pertaining to certain healthcare providers in connection with their exclusion status with the Centers for Medicare & Medicaid Services, including their names and Social Security numbers.
Northwood says it does not have any evidence of actual or attempted misuse of any individual's information as a result of the incident.
A law firm representing Northwood did not immediately respond to an Information Security Media Group request for additional details.
Multiple Breach Reports
As of Wednesday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows four slightly different entries that apparently are for the same incident.
In total, the number of individuals impacted by the "unauthorized access/disclosure" incident appears to be about 15,000, based on the four breach reports that Northwood filed in its role as a business associate within days of each other.
There are a variety of possible reasons why an organization might file separate breach reports to the HHS Office for Civil Rights for the same incident, says health information privacy and security attorney Paul Hales.
"The covered entity is responsible for breach reporting. Some CEs offload breach notification and related costs to BAs by contract," he notes. "A covered entity would have been required to report each separately. Northwood may have been required by contract to report the breaches for which it was responsible," he says. "Northwood, on its own initiative may have reported breaches to affected individuals to enable them to protect themselves from potential harm resulting from the breach."
Business Associate Breaches
As of Wednesday, the HHS HIPAA breach reporting website - also commonly called the "wall of shame" - shows 61 breaches impacting a total of nearly 1.5 million individuals reported as involving a BA so far in 2019.
Some 253 breaches affecting a total of 10.3 million individuals have been added to the federal tally so far this year. So breaches reported as involving BAs are responsible for about 25 percent of that total.
Not yet reflected on the tally, however, are any reports tied to the breach of the business associate American Medical Collection Agency. That incident is so far known to have affected more than 23 million individuals and more than a dozen of AMCA's clients.
"BAs are the weakest link in HIPAA compliance," Hales says. "Many don't know how to comply or even that they are liable for compliance."
"CEs must do due diligence with all BAs," he adds. "Due diligence is crucial. HIPAA requires every CE to have 'satisfactory assurance' the BA will appropriately safeguard protected health information. Giving PHI to a BA without due diligence is 'willful neglect' with exposure to the highest civil money penalty amounts."
Kate Borten, president of privacy and security consulting firm The Marblehead Group, notes: "There's no way for CEs to be sure their BAs avoid breaches - just as their own organizations can't guarantee to be breach-free. Security is all about reducing the likelihood - and harm - of breaches."
But there are good practices to follow regarding BA security, Borten notes. "These include interviews with security leaders to get a gut feel for the company's security proficiency, along with a high level review of policies and procedures and summary of the latest risk assessment."
Privacy attorney Kirk Nahra of the law firm WilmerHale offers a similar perspective.
"As a general matter, just as there is no realistic way for a covered entity to make sure that they never have their own security breach, there is no realistic way to ensure that a business associate never has a breach," he says. "The goal is reasonable and appropriate compliance, and true compliance includes not only preparations in advance but also how you respond to an incident and improve going forward."
BAs as Source of Risks
For most covered entities - who will have dozens if not hundreds of business associates - the overall risks from business associates typically will be higher than their own risk of a breach, Nahra says. "There certainly are things you can do to reduce risks - both in terms of diligence surrounding the security programs of the business associate and smart thinking about the data that the business associate actually needs," he says.
"One key tip is to pay close attention to what the business associate really needs to do their job - don't just give them 'everything' simply because they might need it at some point or it is too hard to figure out what they need among your data pool."