3rd Party Risk Management , Breach Notification , Governance & Risk Management

More Health Data Breaches Tied to Vendor Incidents

Hacker Attacks Against Accellion, Other Vendors Expose Patient Data
More Health Data Breaches Tied to Vendor Incidents
Supermarket and pharmacy chain Kroger says PHI of 368,000 individuals was exposed in an Accellion hacking incident.

The list of healthcare organizations affected by recent vendor security incidents - including the recent attack against Accellion - continues to grow.

See Also: SIEM: The New Force Multiplier Powered by Actionable Intelligence

For example, the supermarket and pharmacy chain Kroger reports that more than 368,000 individuals' protected health information was affected by the Accellion hacking incident, according to the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.

In a recent statement, Kroger says Accellion notified the company that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion’s file transfer service.

"Accellion software was used for secure file transfers of certain HR data and pharmacy and clinic customer information," Kroger says.

More Victims

Several other healthcare sector entities have also recently issued breach notification statements acknowledging they've been affected by the Accellion incident.

Those include Springfield, Illinois-based Southern Illinois University School of Medicine and Trillium Community Health Plan based in Springfield, Oregon.

Canada-based Nova Scotia Health Employees’ Pension Plan also issued a recent statement about being a victim of the Accellion incident.

Ransomware Incident

In another recent vendor-related breach, more than 207,000 patients, providers and employees of Tacoma, Washington-based MultiCare Health System are receiving notices that their personal information was exposed in a ransomware attack involving a business associate's vendor.

In that incident, Woodcreek Provider Services, which provides medical practice management services to MultiCare, reports that it was affected by a December ransomware attack on cloud technology services vendor Netgain Technology.

In a Tuesday statement, Woodcreek says the attackers accessed a wide range of personal and protected health information of Woodcreek Provider Services employees, providers, applicants, contractors and patients.

Vendor Risk

The recent data breaches involving vendors join a long list of other third-party breaches on the HHS tally.

For instance, hacking incidents in 2019 and 2020 involving debt collector firm American Medical Collection Agency and cloud-based fundraising software vendor Blackbaud have racked up dozens of health data breach reports affecting tens of millions of individuals.

In light of vendor breaches, healthcare organizations need to take extra precautions, privacy and security experts say.

"Healthcare organizations that hire these firms should take prompt action to protect themselves from the fallout, beginning with shoring up their vendor relationships," says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.

"The types of incidents that involve vendors providing data management services for healthcare business operations are the scariest of incidents because of the breadth and sheer volume of the data they could be handling."

Taking Action

The Accellion cyberattack sets an example of why healthcare entities should make diligent vendor security risk management a priority, Holtzman adds.

"First, prepare for the eventuality that one of your vendors is going to suffer a cybersecurity incident. There are steps to be able to both respond and recover from an incident that impacts the data that information technology service providers create or maintain on our behalf."

Keith Fricke, a principal consultant at tw-Security, suggests that healthcare organizations diligently assess the risks posed by vendors providing remotely hosted services or products.

"Organizations should have policies and contractual language addressing vendors accessing, storing, processing or transmitting sensitive information to or from overseas locations," he notes. "Asking the vendor if they subcontract any services or labor is important."

Fricke says healthcare organizations should demand to see all vendors' security and privacy policies.

Entities should watch for certain "red flags" indicating that the vendor likely has an immature security program, he says. Those include policies that were put together in response to a request to review policies; policies with no metadata, such as policy author, policy approver, last review date, or revision number; and policies missing significant content.

"Criminals continue seeking out vectors of attack that provide them with unauthorized access to networks and data," Fricke says. That's why it's more important than ever to scrutinize vendors' security risks.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.