Healthcare organizations already have plenty on their plates when it comes to securing regulated patient health information on their networks. But news out of Albany, New York, last week is a reminder that – in the complex healthcare market – data risk extends far beyond the corporate firewall.
Newkirk Products, an Albany, New York-based company that provides medical ID cards and management services to Blue Cross and Blue Shield plans and other healthcare organizations disclosed that a hack of its network had exposed data on an estimated 3.3 million individuals. The compromised information includes customers’ names, addresses, member ID numbers and information on dependents enrolled on the plan patients’ primary care physicians and the patients’ Medicaid ID numbers, among other information.
Newkirk, which was recently the subject of a $410 million acquisition by Broadridge Financial Solutions, said in a statement that it only discovered the breach in early July, days after the Broadridge deal was closed. The company said that it was working with “third-party forensic investigators” to determine the extent of the breach, but said that it believed the incident began on May 21, 2016, more than a month before it was discovered.
The incident underscores the risk that third party providers – or “business associates” – pose to healthcare providers, which can include a wide range of companies from third party billing firms to medical device makers and electronic health records firms. Since 2013, the Federal HIPAA patient privacy law has required that business associates also be held directly liable for compliance with HIPAA’s Privacy and Security Rules, which cover patient data.
But the incident involving Newkirk – a little known firm that, nevertheless, had access to data on millions of patients – underscores how easily risk can be spread from provider networks to those of business partners.
Healthcare organizations should beware. Advancements like hosted electronic medical record (EMR) systems have been eagerly embraced by healthcare providers, but have also spread the pain for breaches. In just one example, a hack of EMR vendor Bizmatics in late 2015 exposed information on some 170,000 patients and prompted warnings from providers across the country.
More recently, the Department of Health and Human Services’ Office for Civil Rights (OCR) essentially put business associates on notice that it is taking “an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements.” OCR has reached resolutions with three providers in recent months to underscore this, including a June 29 settlement that marked the first time that OCR entered into a settlement with a business associate directly. In that, the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to pay a $650,000 settlement and take corrective action for HIPAA violations after the theft of an iPhone compromised the health information of more than 400 nursing home residents.
Healthcare providers need to do a better job policing business associates, HHS said. That includes doing appropriate security risk analysis and management for covered entities and business associates and the creation of a comprehensive risk management plan that covers everywhere electronic Patient Health Information (ePHI) is maintained – including mobile phones, wireless networks, laptops, thumb drives, and cloud storage centers. Covered entities and business associates need to ensure appropriate safeguards are in place for data protection, OCR said.