Business Associate Incidents Added to Breach TallyHealth Data Breaches Involving Paper Records, Email Compromises Added to 'Wall of Shame'
Several major health data breaches that have been added to the federal tally in recent weeks serve as stark reminders of the security and privacy risks posed by business associates.
Among the incidents recently added to the Department of Health and Human Services' HIPAA Breach Reporting Tool website are breaches involving the improper disposal of paper records by a vendor hired to store and destroy the records; records damaged in a tornado that hit a vendor facility; and an email hack of employees of a healthcare entity that is a parent company providing services to more than a dozen hospitals and other servide providers.
Commonly called the "wall of shame," the HHS Office for Civil Rights' website lists health data breaches affecting 500 or more individuals.
Two of the recently added incidents reported as involving business associates are among the top three largest health data breaches posted on the HHS site so far in 2020.
As of Wednesday, 3,273 breaches impacting more than 234.5 million individuals have been posted to the HHS website since September 2009. So far in 2020, 208 major breaches affecting nearly 4.7 million individual have been added.
The biggest business associate incident recently added to the HHS website was reported on May 28 by South Bend, Indiana-based Elkhart Emergency Physicians as an improper disposal breach impacting 550,000 individuals. It's the second largest breach added to the tally this year.
As of Wednesday, the HHS website shows at least seven other South Bend-area healthcare providers reporting they were affected by the same improper disposal incident, affecting a combined total of about 5,000 patients.
In a May 28 joint statement, Elkhart Emergency Physicians and the other organizations note the improper disposal incident involved a former vendor, Indiana-based Central Files Inc., which was "entrusted to provide secure record storage and destruction" to the healthcare entities during various time periods ranging from 1999 to 2013."
"The records entrusted to Central Files included sensitive and legally protected information about these organizations' patients, clients and/or employees," the statement notes. "Central Files was paid to destroy certain records, and was supposed to securely store the remaining records until transfer to a subsequent records storage company."
But between April 1 and April 9, the South Bend entities were alerted that confidential documents entrusted to Central Files "were discovered improperly dumped in an unsecure South Bend-area location sometime before April 1, 2020, and several more times until May 15, 2020."
An investigation in collaboration with local police "revealed that the records discovered at the dump site were in poor condition, showing signs of moisture damage, mold and rodent infestation, and damage from being mixed with trash and other debris," the statement notes. "Trained safety personnel determined that further inspection of most of these records to identify individuals whose information was included in the documents would be extremely hazardous and instead recommended secure destruction as soon as possible.
After retaining those records that could be safely salvaged, a document destruction vendor hired to destroy the rest of the records, the statement says.
"At this time, there is no evidence indicating that information from these records has been used by anyone to cause harm to or compromise the identity of our patients," according to the statement.
Central Files Inc. was acquired in 2015 by Access, Woburn, Massachusetts-based records and information management services provider. Access did not immediately respond to a request for comment about the incident involving the Central Files records.
Breach reports involving another business associate incident that resulted in damaged patient records also have been added to the HHS website in recent weeks.
That incident was reflected in at least six "unauthorized access/disclosure" breach reports filed in April; they affected a combined total of about 9,000 individuals and involving the same vendor.
In their breach notifications, the entities say a tornado struck a building leased by STAT Informatics Solutions in Lebanon, Tennessee, on March 3, damaging paper records that STAT was contracted to scan into the hospitals' electronic medical records systems and then securely destroy.
"As a result of the tornado, personal information may have been potentially exposed to other," one notification states.
Yet another breach involving a BA was reported to HHS on May 5 by BJC Health System in Missouri, which provides services to hospitals as a parent corporation. That incident, reported as involving email and impacting nearly 288,000 individuals, is the third largest breach posted on the HHS website so far this year.
"On March 6, 2020, we identified suspicious activity within three BJC employees' email accounts," says a notification statement issued by BJC. An investigation determined that an unauthorized person gained access to the employee email accounts for a limited period of time on March 6, BJC notes.
"The investigation was unable to determine whether the unauthorized person viewed any emails or attachments in the employee email accounts," BJC says.
BJC identified emails and/or attachments in the accounts that contained patient information, which may have included some patients' names, dates of birth, medical record or patient account numbers, and limited treatment and/or clinical information, such as visit dates, provider names, medications, diagnoses, and/or testing information.
In some instances, patients' Social Security numbers and/or drivers' license numbers were also identified in the accounts, the statement notes.
In its notification statement, BJC lists 14 affiliated hospitals and healthcare services organizations impacted by the incident.
Healthcare organizations should take steps to reduce the risks posed by business associates - especially those that handle paper records.
"As healthcare has focused its attention on the digital environment and how to safeguard electronic information systems, we can lose focus on developing and maintaining safeguards for retention, storage and destruction of hard-copy records that contain sensitive personal information," notes privacy attorney David Holtzman of the security and privacy consultancy CynergisTek.
"The good news is that organizations can use the same contract management techniques to assess vendors' processes and safeguards for protecting paper records and other non-digital formats," he says. "When an organization is preparing its request for proposals to bring on a vendor to perform a service that will involve handling PHI on paper or other hard-copy record, it should take the time to identify what type and the quantity of records that the contractor will be responsible for safeguarding."
Organizations should set minimum standards for administrative and physical safeguards that a prospective vendor would be required to demonstrate in order to be considered for a project, he adds.
Tom Walsh, president of consultancy tw-Security, says potential phishing and other email breaches involving business associates handling PHI are especially frustrating.
"One way a covered entity could prevent its patients from being impacted by phishing and/or email breaches is to prohibit PHI from email," he notes. "Is that a practical solution? No. Most healthcare organizations use their internal email system as a way to communicate and transport patient information internally and externally.
"Having email encrypted during transmission does little to protect PHI when a hacker gains the credentials of an authorized user, as is the case in many of the breaches."
Unfortunately, after email accounts have been compromised, many organizations realize that their ability to audit email is limited, he notes.
"For example, organizations may be able to determine when a user logged into email, read or sent an email. But the audit logs may not record what previously emails were reviewed. That's huge," he says.
"Without detailed logs, an organization may have to assume that all emails could have been viewed by an authorized person. If a user's email account had emails with patient information contained in the body of the email, that could potentially be a reportable breach - an unauthorized access to PHI," he notes. "Here's a tip: Determine the granularity/detail of email system audit logs."
Vendor Risk Management
Yolanda Stonewall, senior security consultant at Pondurance, says organizations should take a number of critical steps to improve vendor risk management programs. Those include working with the legal department to incorporate security requirements and right-to-audit clauses into contract terms and service level agreements.
"Hire reputable vendors with a proven track record of security compliance," she suggests. "Perform some level of due diligence over the vendor's security program at least annually."