Benefit Recovery Specialists Inc., a debt collection and billing vendor based in Houston, suffered a breach. The billing vendor breach affected 275,000 patients as the vendor serviced multiple healthcare entities, including health plans and healthcare providers. The billing vendor breach is discussed below.
Billing Vendor Breach: What Happened
On April 30, Benefit Recovery Specialists Inc. (BRSI) discovered a malware incident that allowed unauthorized access to their systems. Upon investigation, it was discovered that the unauthorized individual used an employee’s login credentials to access the organization’s systems so that they could introduce malware into the systems. The hack lasted from April 20 to April 30.
A statement given by BRSI stated, “We immediately began an internal investigation and took the affected systems offline to remove the malware and ensure the security of the BRSI environment. We also began working with third-party cybersecurity specialists to determine the full scope and nature of the event and notified federal law enforcement.”
The unauthorized access compromised protected health information (PHI) such as name, date of birth, date of service, provider name, policy identification number, procedure code, and diagnosis code. Some patients also had their Social Security numbers exposed.
Billing Vendor Breach: Similar Incidents
Experts have pointed to the similarities between the BRSI breach and the American Medical Collection Agency (AMCA) that exposed 20 million patients’ PHI.
Privacy attorney David Holtzman commented on the incident, “The types of incidents that involve vendors providing debt collection services to a broad swath of leading healthcare organizations really are the scariest of incidents because of the breadth and sheer volume of the data they could be handling.”
Furthering, “What is disturbing is that we are beginning to see a trend in the medical debt collection services that may reflect inadequate cybersecurity safeguards in the sector.”
“We should take this as an opportunity to prepare for the eventuality that one of our vendors is going to suffer a cybersecurity incident. And there are steps we should take to be able to both respond and recover from an incident that impacts the data that they create or maintain on our behalf.”
Billing Vendor Breach: Business Associate Management
This incident is one of the top ten business associate breaches reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) this year. The HHS has made it clear, even releasing specific guidance, that covered entities are responsible for ensuring that their vendors are adequately protecting the PHI shared with them. Rebecca Herold, president of Simbus and CEO of The Privacy Professor consultancy commented on the HHS guidance stating that the agency, “has said many times in many ways throughout the past two decades that covered entities need to take actions and ‘obtain reasonable assurances’ that the BAs are actually following those [security] requirements during the course of their business operations.”
Herold furthered, “This should highlight the need to go beyond just having BAs sign a BA agreement, then not doing any type of oversight or regular follow-up to make sure that they have actually implemented actions, processes, procedures and tools necessary to fulfill what the BAA has required them to do.”