A third-party vendor, who specializes in billing and IT solutions, was a victim of a ransomware attack that has impacted two major health insurance companies. Both of the major health insurance companies have begun to notify their members that their protected health information (PHI) has been exposed.
Both of the health insurance companies use the same third-party vendor which shares information with a health care provider that assists patients with end stage kidney disease. The health care provider coordinates care between dialysis centers, providers, and nephrologists. One of the major health insurance companies has stated that over 4,000 patients were impacted by the data breach, while the other major health insurance company has not determined how many members were exposed to the breach.
The third-party vendor first discovered the breach on May 1, 2021. The investigation determined that the ransomware attack occurred between April 17 and May 5. On May 6, the third-party vendor restored its systems but had found that an unauthorized identity had accessed and stolen files that contained PHI.
The stolen files may have included first and last names, birth dates, phone numbers, member ID numbers, clinical data which pertained to kidney care services, and addresses. No financial information was stolen in the ransomware attack.
The third-party vendor has no reason to believe that the stolen information is intended to be mishandled because of the attack. Although the vendor is recommending that members that are impacted by the attack review Explanation of Benefits (EOB) letters, SmartSummary statements, and medicals records for suspicious activity. The members affected by the breach will receive free credit monitoring services for two years.
The HIPAA Security Rule requires covered entities to enter into a business associate agreement (BAA) with any third-party vendor that performs services on the entity’s behalf. The agreement holds business associates to the same HIPAA standards as the covered entity, ensuring that patient PHI is safe. However, recent research from a consulting company has determined that over 82 percent of surveyed IT and security professionals recognized that third-party threats exposed their organizations to risk, only half said that their organizations actually prioritize those risks. Over the next five years, organizations estimated that their organizations would share about 41 percent of critical data with third-party entities.
Compliance Perspective
Issue
The healthcare sector is now one of the largest victims of ransomware due to its vulnerability to the confidentiality and the critical nature of online patient records. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of the Health Insurance Portability and Accountability Act (HIPAA). Nursing facility leaders and the Privacy Officer should be aware of the new tactics that are being used by malicious ransomware attacks and provide training to all staff with access to electronic medical records, email, or internet on best practices to prevent a ransomware attack. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6 Data Integrity.
Discussion Points
- Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices designed to prevent ransomware attacks.
- Train all appropriate staff on best practices to prevent ransomware. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing ransomware attacks.