[BreachExchange] Business Associate Incidents Added to Breach Tally
destry at riskbasedsecurity.com
Fri Jun 19 10:29:23 EDT 2020
Several major health data breaches that have been added to the federal
tally in recent weeks serve as stark reminders of the security and
privacy risks posed by business associates.
Among the incidents recently added to the Department of Health and
Human Services' HIPAA Breach Reporting Tool website are breaches
involving the improper disposal of paper records by a vendor hired to
store and destroy the records; records damaged in a tornado that hit a
vendor facility; and an email hack of employees of a healthcare entity
that is a parent company providing services to more than a dozen
hospitals and other servide providers.
Commonly called the "wall of shame," the HHS Office for Civil Rights'
website lists health data breaches affecting 500 or more individuals.
Two of the recently added incidents reported as involving business
associates are among the top three largest health data breaches posted
on the HHS site so far in 2020.
As of Wednesday, 3,273 breaches impacting more than 234.5 million
individuals have been posted to the HHS website since September 2009.
So far in 2020, 208 major breaches affecting nearly 4.7 million
individual have been added.
The biggest business associate incident recently added to the HHS
website was reported on May 28 by South Bend, Indiana-based Elkhart
Emergency Physicians as an improper disposal breach impacting 550,000
individuals. It's the second largest breach added to the tally this
As of Wednesday, the HHS website shows at least seven other South
Bend-area healthcare providers reporting they were affected by the
same improper disposal incident, affecting a combined total of about
In a May 28 joint statement, Elkhart Emergency Physicians and the
other organizations note the improper disposal incident involved a
former vendor, Indiana-based Central Files Inc., which was "entrusted
to provide secure record storage and destruction" to the healthcare
entities during various time periods ranging from 1999 to 2013."
Entities must consider the security risk BAs pose to digital and paper
patient records, experts say.
"The records entrusted to Central Files included sensitive and legally
protected information about these organizations' patients, clients
and/or employees," the statement notes. "Central Files was paid to
destroy certain records, and was supposed to securely store the
remaining records until transfer to a subsequent records storage
But between April 1 and April 9, the South Bend entities were alerted
that confidential documents entrusted to Central Files "were
discovered improperly dumped in an unsecure South Bend-area location
sometime before April 1, 2020, and several more times until May 15,
An investigation in collaboration with local police "revealed that the
records discovered at the dump site were in poor condition, showing
signs of moisture damage, mold and rodent infestation, and damage from
being mixed with trash and other debris," the statement notes.
"Trained safety personnel determined that further inspection of most
of these records to identify individuals whose information was
included in the documents would be extremely hazardous and instead
recommended secure destruction as soon as possible.
After retaining those records that could be safely salvaged, a
document destruction vendor hired to destroy the rest of the records,
the statement says.
"At this time, there is no evidence indicating that information from
these records has been used by anyone to cause harm to or compromise
the identity of our patients," according to the statement.
Central Files Inc. was acquired in 2015 by Access, Woburn,
Massachusetts-based records and information management services
provider. Access did not immediately respond to a request for comment
about the incident involving the Central Files records.
Breach reports involving another business associate incident that
resulted in damaged patient records also have been added to the HHS
website in recent weeks.
That incident was reflected in at least six "unauthorized
access/disclosure" breach reports filed in April; they affected a
combined total of about 9,000 individuals and involving the same
In their breach notifications, the entities say a tornado struck a
building leased by STAT Informatics Solutions in Lebanon, Tennessee,
on March 3, damaging paper records that STAT was contracted to scan
into the hospitals' electronic medical records systems and then
"As a result of the tornado, personal information may have been
potentially exposed to other," one notification states.
Yet another breach involving a BA was reported to HHS on May 5 by BJC
Health System in Missouri, which provides services to hospitals as a
parent corporation. That incident, reported as involving email and
impacting nearly 288,000 individuals, is the third largest breach
posted on the HHS website so far this year.
"On March 6, 2020, we identified suspicious activity within three BJC
employees' email accounts," says a notification statement issued by
BJC. An investigation determined that an unauthorized person gained
access to the employee email accounts for a limited period of time on
March 6, BJC notes.
"The investigation was unable to determine whether the unauthorized
person viewed any emails or attachments in the employee email
accounts," BJC says.
BJC identified emails and/or attachments in the accounts that
contained patient information, which may have included some patients'
names, dates of birth, medical record or patient account numbers, and
limited treatment and/or clinical information, such as visit dates,
provider names, medications, diagnoses, and/or testing information.
In some instances, patients' Social Security numbers and/or drivers'
license numbers were also identified in the accounts, the statement
In its notification statement, BJC lists 14 affiliated hospitals and
healthcare services organizations impacted by the incident.
Healthcare organizations should take steps to reduce the risks posed
by business associates - especially those that handle paper records.
"As healthcare has focused its attention on the digital environment
and how to safeguard electronic information systems, we can lose focus
on developing and maintaining safeguards for retention, storage and
destruction of hard-copy records that contain sensitive personal
information," notes privacy attorney David Holtzman of the security
and privacy consultancy CynergisTek.
"The good news is that organizations can use the same contract
management techniques to assess vendors' processes and safeguards for
protecting paper records and other non-digital formats," he says.
"When an organization is preparing its request for proposals to bring
on a vendor to perform a service that will involve handling PHI on
paper or other hard-copy record, it should take the time to identify
what type and the quantity of records that the contractor will be
responsible for safeguarding."
Organizations should set minimum standards for administrative and
physical safeguards that a prospective vendor would be required to
demonstrate in order to be considered for a project, he adds.
Tom Walsh, president of consultancy tw-Security, says potential
phishing and other email breaches involving business associates
handling PHI are especially frustrating.
"One way a covered entity could prevent its patients from being
impacted by phishing and/or email breaches is to prohibit PHI from
email," he notes. "Is that a practical solution? No. Most healthcare
organizations use their internal email system as a way to communicate
and transport patient information internally and externally.
"Having email encrypted during transmission does little to protect PHI
when a hacker gains the credentials of an authorized user, as is the
case in many of the breaches."
Unfortunately, after email accounts have been compromised, many
organizations realize that their ability to audit email is limited, he
"For example, organizations may be able to determine when a user
logged into email, read or sent an email. But the audit logs may not
record what previously emails were reviewed. That's huge," he says.
"Without detailed logs, an organization may have to assume that all
emails could have been viewed by an authorized person. If a user's
email account had emails with patient information contained in the
body of the email, that could potentially be a reportable breach - an
unauthorized access to PHI," he notes. "Here's a tip: Determine the
granularity/detail of email system audit logs."
Vendor Risk Management
Yolanda Stonewall, senior security consultant at Pondurance, says
organizations should take a number of critical steps to improve vendor
risk management programs. Those include working with the legal
department to incorporate security requirements and right-to-audit
clauses into contract terms and service level agreements.
"Hire reputable vendors with a proven track record of security
compliance," she suggests. "Perform some level of due diligence over
the vendor's security program at least annually."
More information about the BreachExchange