[BreachExchange] Billing Vendor Breach Affects 275,000

[Destry Winant]

https://www.databreachtoday.com/billing-vendor-breach-affects-275000-a-14607

Some 275,000 individuals served by a variety of healthcare providers
and health plans had data exposed as a result of a breach at
Houston-based billing and debt collection vendor Benefit Recovery
Specialists Inc.

The BRSI incident appears to be somewhat similar to a breach about a
year ago affecting another medical debt collection company, American
Medical Collection Agency. That incident impacted more than two dozen
of the firm's clients and more than 20 million individuals, according
to the HHS website.

"What is disturbing is that we are beginning to see a trend in the
medical debt collection services that may reflect inadequate
cybersecurity safeguards in the sector," says privacy attorney David
Holtzman, principal of consulting firm HITprivacy LLC.

Holtzman suggests that healthcare organizations carefully review
whether they are BRSI customers. "It may not be readily apparent
because many business units contract or maintain relationships with
service providers that may not be entirely known throughout the
organization," he points out.

Organizations that are BRSI clients will need to "initiate their
incident response plan, which will include an inventory of the
patients whose PHI was maintained by the vendor on their behalf. Those
steps should begin now," he stresses.

Added to the Tally

The BRSI breach was added Monday to the Department of Health and Human
Services' Office for Civil Rights' HIPAA Breach Reporting Tool
website.

Also commonly called the "wall of shame," the website lists health
data breaches impacting 500 or more individuals.

The incident is the fifth business associate breach among the top 10
added to the tally so far this year (see: Health Data Breach Trends:
Mid-Year Assessment).

Notification Offer Details

In a June 26 breach notification statement posted on BRSI's website,
the company says that on April 30, it discovered a malware incident
affecting certain company systems.

"We immediately began an internal investigation and took the affected
systems offline to remove the malware and ensure the security of the
BRSI environment," the statement says. "We also began working with
third-party cybersecurity specialists to determine the full scope and
nature of the event and notified federal law enforcement."

The investigation confirmed that an unauthorized actor accessed BRSI's
systems using employee credentials and deployed malware within BRSI's
environment, the statement says.

"The investigation further revealed that certain BRSI customer files
containing personal information may have been accessed and/or acquired
by the unknown actor between April 20 and April 30, 2020," according
to the statement.

Information that may have been exposed includes name, date of birth,
date of service, provider name, policy identification number,
procedure code, and/or diagnosis code, BRSI says. For a small number
of individuals, Social Security number may also have been exposed the
statement adds.

"The types of incidents that involve vendors providing debt collection
services to a broad swath of leading healthcare organizations really
are the scariest of incidents because of the breadth and sheer volume
of the data they could be handling."
—David Holtzman, HITprivacy LLC

"Upon learning of the incident, we began working with third-party
specialists to assess and develop a response plan and secure the BRSI
environment," the company says.

BRSI did not immediately respond to Information Security Media Group's
request for additional details, including how many client
organizations were affected by the breach and whether the malware was
ransomware.

Third-Party Risk Management

The BRSI breach, and the similar AMCA breach last year, "should be
motivating healthcare organizations to take prompt action to protect
themselves from the fallout, beginning with shoring up their vendor
relationships," Holtzman says.

"The types of incidents that involve vendors providing debt collection
services to a broad swath of leading healthcare organizations really
are the scariest of incidents because of the breadth and sheer volume
of the data they could be handling," he notes.

"We should take this as an opportunity to prepare for the eventuality
that one of our vendors is going to suffer a cybersecurity incident.
And there are steps we should take to be able to both respond and
recover from an incident that impacts the data that they create or
maintain on our behalf."

Phishing Attack?

The description of the incident provided by BRSI in its breach
notification statement - including the company mentioning that the
perpetrator used employee credentials - points to the possibility that
BRSI's information system may have been compromised through a phishing
attack, Holtzman says.

"It is crucial that organizations educate and make their workforce
members aware of how to recognize and respond to suspicious emails and
to recognize when a specific communication is too risky to open," he
says. "Organizations must have technology in place for a
system-activity audit and review taking place in their information
system area."

Monitoring Business Associates

The BRSI incident also shines a spotlight - yet again - on the privacy
and security risks posed by business associates.

"This should highlight the need to go beyond just having BAs sign a BA
agreement, then not doing any type of oversight or regular follow-up
to make sure that they have actually implemented actions, processes,
procedures and tools necessary to fulfill what the BAA has required
them to do," says Rebecca Herold, president of Simbus, a privacy and
cloud security services firm, and CEO of The Privacy Professor
consultancy.

"When a BA, or any vendor of B-to-B services in any industry, does not
actually do what they have contractually obligated themselves to do,
then they will become a huge security vulnerability. And then breaches
and other types of security incidents will occur."

Herold also points out that HHS "has said many times in many ways
throughout the past two decades that covered entities need to take
actions and 'obtain reasonable assurances' that the BAs are actually
following those [security] requirements during the course of their
business operations."