Breach Notification , Governance & Risk Management , Healthcare
Printing Vendor's Breach Tally Soars to Nearly 2.7 MillionOneTouchPoint Is Among Growing List of Vendors Reporting Huge Health Data Breaches
An updated data breach report shows a printing and mailing vendor's original estimate of the number of individuals affected by an apparent ransomware attack was inaccurate by more than 100%, and the new total nearly reaches 2.7 million.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The update thrusts the incident at Wisconsin-based OneTouchPoint into the upper ranks of the largest health data breaches reported to regulators so far in 2022, a year in which many other major incidents involving supply chain vendors have already occurred.
The updated breach report filed to the Maine attorney general's office on Aug. 26 says 2.65 million individuals - including nine Maine residents - were affected by an "external system breach hacking" incident detected on July 15.
OneTouchPoint's original breach report to Maine's attorney general and the U.S. Department of Health and Human Services on July 27 said the incident affected nearly 1.1 million individuals.
A breach notification statement posted on the company's website in July indicated that 38 health plan clients had been affected by the incident, although that number could also grow.
At least one health plan not on the list - Wisconsin-based Common Ground Healthcare Collaborative - has also reported its breach to HHS' Office for Civil Rights as involving the OneTouchPoint hacking incident, telling regulators that 133,714 individuals were affected.
OneTouchPoint did not immediately respond to Information Security Media Group's request for comment.
Regulatory attorney Rachel Rose says that it is not uncommon for the number of individuals affected by a breach to climb significantly after the incident has been first reported to regulators, due a number of reasons, including progress of the forensics investigation.
Why are so many covered entities and their patients being affected by hacking and other health data breaches involving vendors?
"Cybercriminals usually go for the 'weakest link,' and it may or may not be a business associate or subcontractor," Rose says. "Appreciating the points of ingress and egress of sensitive data is paramount because those are the paths that a cybercriminal can use to access the 'lucky charms,' if you will," she says.
With so many vendors being hit by ransomware and other hacking incidents, is it a matter of time before all covered entities and their patients eventually become victims of health data breaches?
"In the context of what we’ve been seeing for a number of years now, it's often just a question of 'when' as opposed to 'if' a healthcare provider, payer or vendor will find itself impacted by hacking and ransomware," says privacy and security attorney Brad Rostolsky of law firm Reed Smith.
"That said, there are certainly security resources out there … that can significantly minimize the exposure," he says.
Rose suggests entities conduct an annual risk analysis and to ask their business associates to attest to a checklist of critical security risk actions they've taken, as part of due diligence.
Rostolsky says at a minimum, covered entities and prime business associates should require their vendors to maintain strong cyber insurance coverage.
Also, "security questionnaires can be valuable, but ultimately unless a covered entity wants to regularly audit its vendors, there may only be so much they can do," he says.
"Indemnification helps, but the vendors who cause a problem have become more of a focus than the covered entities that are impacted by a vendor's issue," he says.
Also, entities should consider including clear language in a business associate agreement that speaks to a covered entity's expectations of its business associate in the face of an incident, including addressing the type and degree of cooperation that is expected and required, he says.
OneTouchPoint in its breach notification statement says that on April 28, it discovered encrypted files on certain computer systems. Its investigation determined that there had been unauthorized access to certain company servers beginning on April 27, OneTouchPoint says.
"Through the investigation, we learned that we would be unable to determine what specific files the unauthorized actor viewed within our network."
OneTouchPoint says it later determined that its affected systems contained certain information, including individuals' names, member IDs and information provided during health assessments. Social Security numbers and financial information were not affected, OneTouchPoint says.
The HHS OCR's HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals is top-heavy, and the largest breaches so far this year have been reported by business associates.
A hacking incident involving cloud-based Eye Care Leaders has resulted in dozens of covered entity clients reporting breaches affecting about 3 million individuals so far this year.
And aside from the OneTouchPoint and Eye Care Leaders incidents, the HHS OCR website as of Monday shows the top three largest breaches reported so far in 2022 all involved business associates. Those include:
- Shields Health Care Group, reporting a hacking incident on May 27 as affecting 2 million individuals;
- Professional Finance Company, reporting on July 1 a ransomware incident affecting 1.9 million individuals;
- Novant Health, reporting on Aug. 12 an unauthorized access/disclosure breach involving electronic health records and affecting 1.36 million. This incident allegedly involved Novant’s use of Meta/Facebook Pixel code, which ended up sending certain Novant patient portal and website data to Meta/Facebook without individuals' knowledge.
As of Monday, the HHS OCR's breach reporting website did not reflect the updated total number of individuals affected by the OneTouchPoint breach.