Iowa Reports 3rd Large Vendor Breach This Year

Latest Breach Affects 234,000 Individuals; Involves Recent MCNA Insurance Co. Hack

The state government of Iowa reported to federal regulators a third major health data breach since April involving a third-party vendor. The breach stems from an incident at dental health insurer MCNA Insurance Co.

The Iowa Department of Health and Human Services reported hackers had compromised the protected health information of nearly 234,000 Iowa residents in an incident that affects nearly 9 million Americans across the country.

Iowa is among more than 100 MCNA clients, which include other state health departments and Medicaid agencies, affected by the incident.

This year, Iowa HHS has already reported to federal regulators two other large breaches involving incidents at business associates.

One of those incidents affected 21,000 individuals. It involved a contractor, Telligen, which disclosed a 2022 hacking incident at a subcontractor, Independent Living Systems. The ILS breach affected about 4.2 million people nationwide.

On May 26, Iowa reported a breach involving business associate Amerigroup, which “inadvertently disclosed” the protected health information of 833 Iowa Medicaid members to 20 healthcare providers in paper explanation of payment notices.

Three large breaches within weeks of each other illustrate vendor risk challenges that many state agencies and other large organizations face.

Those issues include the large number of third parties in the mix and the time it takes to conduct proper risk assessments of those vendors.

Organizations should try to manage the scope of vendor risk assessments by starting with ones falling into these categories: third parties storing, processing or transmitting large amounts of electronic PHI — and third parties having remote access into networks.

Organizations need to carefully review business associate agreements. That includes ensuring the agreements contain language that sets expectations about timely breach notification and allows for periodic risk assessments of the vendor under reasonable terms and conditions.

It is not enough anymore to have the required business associate agreements signed. Covered entities need to perform some type of risk assessment on vendors with whom they conduct business.

Covered entities should not be too quick to sign the business associate agreement presented by a vendor. Covered entities should exhaust all options to get the business associate to sign theirs.

If an entity must sign a vendor’s business associate agreement, read every line and redline that which does not support the very best protections for the covered entity’s data. Particularly, review the indemnification clause. If it is not included, add yours in. If it is in favor of the BA, request stronger language. Business associates must recognize their responsibilities — including financial — when they have a data breach.

If you have questions about the evolving healthcare data risk landscape, call ITPAC today.