Billing Vendor Breach Affects 275,000. Phishing Suspected. Not Yet Clear How Many of Firm’s Healthcare Clients Were Affected

At least 275,000 individuals served by a variety of healthcare providers and health plans had data exposed as a result of a breach at Houston-based billing and debt collection vendor Benefit Recovery Specialists Inc.

The company says that on April 30, it discovered a malware incident affecting certain company systems. BRSI customer files containing personal information may have been accessed and/or acquired between April 20 and April 30, 2020.

Information that may have been exposed includes name, date of birth, date of service, provider name, policy identification number, and procedure code and/or diagnosis code. Social Security numbers may also have been exposed for some people.

The description of the incident provided by BRSI in its breach notification statement – including the company mentioning that the perpetrator used employee credentials – points to the possibility that BRSI’s information system may have been compromised through a phishing attack.

The BRSI incident comes roughly a year after a breach affecting another medical debt collection company, American Medical Collection Agency. That incident impacted more than two dozen healthcare providers and more than 20 million individuals.

The question for healthcare providers is whether this is beginning to become a trend that reflects inadequate cybersecurity safeguards in the billing/collection sector. Incidents that involve vendors providing billing and collection services to a number of healthcare organizations are extremely concerning because of the breadth and sheer volume of the data they handle.

Organizations that are BRSI clients will need to initiate their incident response plan, including an inventory of the patients whose PHI was maintained by the vendor on their behalf.

The incident is the fifth business associate breach among the top 10 added to the HHS “Wall of Shame” so far this year.

Third-Party Risk Management

The BRSI incident highlights the privacy and security risks posed by business associates. It’s not enough to have BAs sign a BA agreement. Oversight or regular follow-up is needed to ensure that the BA has actually implemented actions, processes, procedures and tools necessary to fulfill what the BAA has required them to do.

Healthcare organizations must take prompt action to protect themselves by shoring up their vendor relationships. Additionally, healthcare organizations should prepare for the eventuality that one of their vendors is going to suffer a cybersecurity incident. Ensure that any response plan includes the ability to respond and recover from an incident that impacts the data that vendors create or maintain on an organization’s behalf.

It is also crucial that organizations ensure that both their employees and any BA are aware of how to recognize and respond to suspicious emails and to recognize when a specific communication is too risky to open. Organizations must have technology in place for a system-activity audit and review taking place in their information system area.

If you have questions on vendor security, phishing, or HIPAA risk management, contact ITPAC today.