ER Staffing Firm Breach Raises Complex QuestionsSorting Out Who Should Report an Incident
A recent hacking incident involving a firm that staffs U.S. hospitals' emergency departments with physicians and other clinicians serves as a reminder of tricky questions that can pop up when a vendor has a breach impacting patient data.
See Also: The Power and Scale of XDR
On Tuesday, USACS Management Group Ltd. reported to the Department of Health and Human Services a hacking/IT incident involving email and impacting 15,552 patients, according to HHS' Office for Civil Rights' HIPAA Breach Report Tool website. Commonly called the "wall of shame," the website lists health data breaches affecting 500 or more individuals.
The incident is listed on the HHS site as involving a business associate. Canton, Ohio-based USACS provides emergency medicine management and other services to about 210 hospitals in 22 states. That includes staffing hospital emergency departments with doctors, nurse practitioners and physician assistants.
But sorting out whether a company such as USACS is a business associate or a covered entity - or perhaps both - is a complicated task that could affect who should report a breach.
A spokesman for USACS Management Group, which reported the breach to HHS, tells Information Security Media Group that the company is a business associate of the USACS physician practices that staff hospitals.
"In the primary work we do - providing patient care - the practice entities are covered entities, not the BA of the hospitals," he says. "We may provide some services, such as medical director services, that would make the physician practice group a BA for a limited purpose. That was not the case here."
A USACS notification statement posted on the company's website notes that on March 9, the firm learned that an unauthorized third party may have accessed a USACS employee's email account that same day.
"We immediately began an investigation, including hiring a leading outside computer forensic firm to assist us. The investigation determined that the unauthorized third party illegally gained access to one USACS email account containing patient information," USACS says.
The hacked email account may have included some patients' information, including names, addresses, dates of service, USACS account numbers, medical and health insurance information, diagnostic and treatment information, and, in some cases, Social Security numbers, USACS says.
No data maintained by USACS' hospital clients was compromised in the incident, the USACS spokesman tells ISMG. "We do not own or oversee the hospital electronic health records or IT. There were no hospital systems or records impacted by this incident," he says.
The company says it has no indication that any of the information has been inappropriately used. USAC, however, is offering patients whose Social Security numbers were breached a free one-year membership for credit monitoring and identity protection services.
USACS Management Group. Ltd not only reported the incident to HHS, but is also sending out letters to affected individuals.
"The patients will receive a letter from USACS, not the hospital," the spokesman says. "The letter does not name the [hospital] facility. The letter makes clear we are their physicians who treated [the individual] during [the] emergency department visit."
Privacy attorney Kirk Nahra of the law firm Wiley Rein notes that when a business associate experiences a breach, impacted covered entities have the obligation to notify affected individuals and government regulators.
But even if a business associate agreement spells out that the vendor will handle breach notification duties under certain circumstances, "it's highly unusual for anyone but the covered entity to notify the individuals," Nahra says.
For instance, breach notification letters from a vendor that a victim has never heard of potentially could be a source of additional confusion, he notes. In such cases, a vendor needs to clarify why the individual is receiving the letter, he says.
An example of rare exceptions to that usual scenario for covered entities to send notifications to individual is the Anthem Inc. breach in 2016, Nahra notes. In that situation - which impacted nearly 79 million individuals - health insurer Anthem had many complex relationships, including being a covered entity, business associate and a downstream business associate to other BAs, he notes. In that case, "Anthem basically took on the responsibility to notify individuals," he says.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine offers a similar assessment.
"The obligation to report [breaches] to HHS and the affected individuals falls on the covered entity, who is liable if it doesn't happen."
—Attorney Adam Greene
"The obligation to report to HHS and the affected individuals falls on the covered entity, who is liable if it doesn't happen. But the covered entity can delegate these responsibilities to the BA, which often makes sense when a breach involves one BA but multiple covered entities."
The USACS incident, however, involves more complex circumstances, he notes.
"The definition of business associate excludes disclosures to healthcare providers for treatment. As a result, these relationships can get complicated with respect to the ER provider sometimes qualifying as a business associate and sometimes qualifying as a healthcare provider providing treatment," he says.
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, says state requirements add an extra wrinkle to notification duties.
"The HITECH Act breach notification rule specifies the content of the notification provided to individuals affected by a breach," he says. "But some states, notably California, have additional requirements that specify the content required to be included in the notifications. In my view, any breach notification to an individual should identify the covered entity whose protected health information was compromised so that the patient can more fully understand the type and sensitivity of their health information that has been exposed."
To help avoid potentially messy situations between CEs and BAs in breach situations, healthcare organizations should implement sound vendor management practices, Holtzman stresses.
"Good vendor management practices call for a covered entity to work with their contractors to employ a risk-based strategy to assess the potential for compromise of data," he says.
"It's crucial to ensure that your BA has performed a risk analysis of any information networks and devices that will handle electronic PHI, as well as ensure that there is an incident response plan in place to detect and mitigate the effects from a cybersecurity incident."