[BreachExchange] Why a Furniture Maker Had to Report a Health Data Breach

[Destry Winant]

https://www.govinfosecurity.com/a-furniture-maker-had-to-report-health-data-breach-a-12393

Sometimes, even a furniture manufacturer must report a health data
breach to comply with the HIPAA Breach Notification Rule.

Asheboro, N.C.-based Klaussner Furniture Industries says that in
February it discovered a data security incident that exposed certain
health data of current and former employees, as well as some of their
dependents.

The incident is listed on the Department of Health and Human Services'
HIPAA Breach Reporting Tool website as a "hacking/IT incident"
affecting about 9,300 individuals and involving a network server. It's
listed on the so-called "wall of shame" as being reported by
"Klaussner Furniture Industries, Inc. Employee Benefits Plan through
its sponsor, Klaussner Furniture Industries, Inc."

HIPAA Compliance Issues

"One of the biggest challenges for employers is realizing whether they
have any plan member data that is subject to HIPAA," says privacy
attorney Adam Greene of the law firm David Wright Tremaine. "They may
have a third-party administrator and believe that all of the data
resides with the administrator, when that is not the case."

When an employer discovers employee information has been breached,
Greene says, it should carefully review whether it is involved in
administering its group health plan and determine whether any employee
data related to plan administration was exposed. "If yes, then it may
be time for a crash course on the HIPAA Breach Notification Rule," he
says.

The "wall of shame" website, which lists major health data breaches
impacting 500 or more individuals, lists several breaches reported by
employers outside of the healthcare sector.

For instance, the federal tally shows that in September 2018, "Toyota
Industries North America, Inc. as plan sponsor to the Toyota
Industries North America, Inc. Welfare Benefit Plan," reported to HHS
a hacking/IT incident involving email that impacted 19,000
individuals.

In a statement last September, Toyota said the incident potentially
impacted the security of certain personal information and PHI.

Steps to Take

Employers with self-insured group health plans will typically handle
information that is protected by the HIPAA privacy and security rules,
notes privacy attorney David Holtzman of security consultancy
CynergisTek.

"While employers are not considered covered entities, the group health
plans sponsored by employers are HIPAA covered entities and do have
obligations to comply with the HIPAA standards," he says.

"The bottom line is that any organization that sponsors a self-funded,
self-insured benefit plan that pays for some type of healthcare ...
must have a program in place that limits access to the data of the
benefits program and a risk-based information security program to
protect the data," he says.

Among the basic practices these companies should put into place are:

- Establish privacy policies that outline permitted and required uses
and disclosures of the information by the group health plan to the
plan sponsor or employer;
- Provide employees with a notice of privacy practices that describes
how health information may be used and disclosed and how the
individual employee or covered dependent may access that information;
- Design and implement administrative, technical and physical
safeguards to protect PHI in accordance with the HIPAA standards;
- Identify if there is any PHI from the group health plan in the
employer's information systems;
- Perform a risk analysis to identify potential threats against ePHI.

Klaussner Breach Details

In its statement, Klaussner says that upon discovery of the incident,
it initiated an internal investigation, retained a forensic firm and
notified law enforcement of the incident.

"As part of its investigation, Klaussner recently learned that an
unauthorized third party gained access to two computers on its network
that contained certain personal information about a limited number of
current or former employees, and some of their dependents. At this
time, Klaussner is not aware of any fraud or identity theft as a
result of this event," the company says.

The information stored in the affected computers varies by individual,
but may include names, addresses, Social Security numbers, financial
account information, dates of birth, health information, and health
benefit election, Klaussen says.

The company did not describe in its statement the type of hacking
incident that occurred. But it says it has taken steps to bolster its
information and data security practices and procedures, "including
rebuilding affected systems, installing additional security measures,
and exploring additional security changes in order to help prevent
this type of incident from reoccurring in the future."

Klaussner says it is offering one year of prepaid identity protection
services to individuals affected by the incident.