[BreachExchange] Vendor Configuration Error Results in Exposure of 14,000 Individuals’ ePHI

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 13 19:21:51 EDT 2017


http://www.hipaajournal.com/configuration-error-vendor-
results-exposure-14000-individuals-ephi-8715/

A major breach of electronic protected health information has been
discovered by Universal Care, dba, Brand New Day – A Medicare approved
health plan.

On December 28, 2016, Brand New Day became aware that an unauthorized
individual had gained access to ePHI provided to one of its HIPAA business
associates. Access to ePHI was gained via a third-party vendor system used
by Brand New Day’s contracting provider six days previously on December 22,
2016.

The breach notification submitted to the California attorney general does
not indicate whether the ePHI of plan members was stolen, although the data
were accessed and a criminal investigation into the breach has been
launched by law enforcement. The types of data accessed include plan
members’ names, addresses, phone numbers, dates of birth and Medicare ID
numbers.

Upon discovery of the incident, Brand New Day immediately launched an
investigation and contacted its vendor to ensure that access to ePHI was
immediately terminated. The vendor was informed that someone had improperly
accessed plan members’ data and rapid action was taken to block access.
Brand New Day says the error that allowed ePHI to be accessed was
eliminated ‘within hours’ of its vendor being notified of the breach.

While no specific mention of the exact nature of improper access was made,
Brand New Day says “We changed our practices regarding access requiring
monthly verification of each user.” Brand New Day is also performing a
thorough ‘self audit’ to determine whether any other errors have occurred
that jeopardize the confidentiality, integrity and availability of ePHI.

As a precaution against identity theft, all affected individuals have been
offered 12 months’ complimentary identity theft mitigation services via
Experian.

The breach report submitted to the Department of Health and Human Services’
Office for Civil Rights indicates 14,005 individuals were impacted by the
incident. Brand New Day says it delayed the issuing of breach notification
letters so as not to interfere with the criminal investigation of the
breach.

HIPAA and Business Associates

Before any electronic protected health information is provided to a
business associate, a signed copy of a business associate agreement must be
obtained. The business associate agreement should explain the need to
comply with the HIPAA Privacy, Security, and Breach Notification Rules and
the need to implement safeguards to ensure the confidentiality, integrity,
and availability of ePHI is not put at risk. The BAA should also explain
the procedures for notifying the covered entity in the event of a breach of
ePHI.

A BAA will not necessarily prevent breaches of ePHI, although it will
ensure that business associates are aware of their responsibilities to
safeguard ePHI and issue notifications in the event of a breach. Should any
violation of HIPAA Rules occur, it would likely be the business associate
that is liable, rather than the covered entity. Since the introduction of
the HIPAA Omnibus Rule, business associates of HIPAA covered entities can
be fined directly by OCR and state attorneys general if HIPAA Rules are
discovered to have been violated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170313/a9615ae2/attachment.html>


More information about the BreachExchange mailing list