Health Data Breach Tally Crowded with Vendor Incidents

Business Associate Breaches Affect Millions

Nearly 1/3 of the major health data breaches added to the federal tally so far this year involve business associates, continuing a trend in recent years. A recent analysis by CI Security found that in the second half of 2020, nearly 75% of all records breached were tied to security incidents involving business associates.

Currently, the HHS OCR website shows that 37 major breaches, affecting more than 4.5 million individuals, have been reported in 2021 and added to the tally so far this year. Of those, 12 breaches affecting nearly 3.6 million individuals were reported as involving business associates. Some of those 37 breaches reported this year are incidents that occurred in 2020.

Some of the largest health data breaches in the last couple of years involved business associate incidents that, in turn, affected dozens of clients serving millions of patients.

For instance, a hacking incident reported in 2019 involving the American Medical Collection Agency, a bill collection vendor, affected more than two dozen covered entities—including major laboratory testing firms—and more than 20 million individuals.

And in 2020, hackers hit cloud-based fundraising software vendor Blackbaud, affecting, in turn, about four dozen of its healthcare sector clients and more than 10 million individuals. Hackers are taking advantage of the interconnectivity of healthcare organizations and the vendors that serve them.

In the Blackbaud incident, a breach of a single vendor resulted in a multitude of healthcare organizations that had to file breach reports with HHS.

Persistent Problems

One of the business associate breaches posted on the HHS tally so far in 2021 is a hacking incident reported by The Richards Group, a Vermont-based vendor that provides insurance-related services to businesses.

The federal tally indicates that the email hacking incident, which affected about 15,400 individuals, was reported to HHS on Jan. 28. But a recent breach notification statement issued by The Richards Group indicates the incident involved a phishing attack that compromised an employee email account sometime last May.

Unfortunately, many vendors still do not appreciate the devastating impact their poor security controls and practices can have on their healthcare clients’ data. The increase in “startup” BA firms offering services to the healthcare industry is of particular concern. These firms may have valuable and innovative products and services but very limited security and privacy expertise.

For many of these firms, security is not “baked in” to their offerings the way it may be with legacy providers.

If you have questions about your IT security and the risks posed by your business associates, call ITPAC today.