Have you ever started pulling a loose thread on your shirt only to start watching your shirt unravel? Something similar happened while researching a recent HIPAA breach for this post. What initially looked like a small, isolated incident with a hospital here in Texas snowballed into something much larger.
Once upon a breach…
Baylor Scott & White operates multiple medical centers across Texas. One location, Baylor Scott & White Medical Center – Frisco, recently released a public notice regarding a HIPAA breach of some patient data. On September 29, the hospital found the first signs of the breach. The hospital did not experience the breach directly. An unknown person hacked the hospital’s third-party payment processor, AccuDoc Solutions Inc. The hospital immediately stopped processing payments, notified the vendor, and started investigating the issue further.
47,984 patients initially affected by the breach.
As a result of the investigation, we know that the breach occurred between September 22-29. The attack did not compromise any health-related patient information with Baylor Scott & White Medical Center. However, the hack did compromise payment information for 47,984 patients. That information included data related specifically to the payments and actual credit cards used. This is where things get interesting.
Let it snow… ball.
After being notified, AccuDoc began their own investigation. Investigators discovered the same attack compromised another healthcare client, Atrium Health. Atrium Health operates 44 hospitals across North Carolina, South Carolina, and Georgia. The amount of data compromised from Atrium Health far surpasses the initial incident. The breach exposed over 2.65 million records, making it the largest breach since 2016.
It appears that no data was actually downloaded. The attacker could only view information such as first and last name, home address, date of birth, balances, CCV code, and other payment-related information. In some cases, that data may have also included Social Security numbers.
HIPAA includes payment information.
Even though Baylor Scott & White was not the focus of the attack, payments contain data considered to be protected health information. Consequently, regulations required the hospital to notify the public about the breach even though the hospital wasn’t at fault. Now, you can find Baylor Scott & White Medical Center – Frisco on the list of Cases Currently Under Investigation (often referred to as the “wall of shame”). Atrium Health also released a special announcement.
Third-party vendor fallout.
Most HIPAA data breaches occur with healthcare provider itself. However, if you look at the wall of shame, you’ll notice something that should cause concern for those in healthcare. The top two breaches (including the breach at AccuDoc) that affected the most individuals both involved Business Associates (third-party vendors).
According to HIPAA Journal, AccuDoc has assigned blame to a security vulnerability with one of its own third-party vendors. If you’re keeping track, that’s a third-party vendor of a third-party vendor causing a HIPAA breach for two separate healthcare organizations. The ramifications will affect both Atrium Health and Baylor Scott & White.
How to avoid third-party vendor HIPAA breaches.
We’ve discussed how healthcare makes a great target for cyber-attacks. Every healthcare organization has a multitude of vendors. Those vendors often provide a great backdoor into a healthcare provider’s data. Organizations should already be performing an annual risk assessment. Additionally, those risk assessments should extend to vendors as well. Specifically, treat the vendor’s IT system as you would your own.
This can be a daunting task. Pit Crew’s HIPAA Compliance 360 service provides a great starting point to bring your organization into compliance. Our partnership with HIPAA experts, Third Rock, covers both technical and physical data privacy aspects of HIPAA compliance across your organization. Avoid the risk. Avoid the fines. Get started by requesting a free consultation below.