A Connecticut CPA cyberattack has earned a place on HIPAA’s “ Wall of Shame” after possibly exposing the protected health information (PHI) of at least 6,215 individuals.
Fiondella, Milone & LaSaracina (FML), of Glastonbury, CT, reported the hacking incident to the Department of Health and Human Services’ Office for Civil Rights on January 14, 2022.
Background of CPA HIPAA Breach
According to a notice updated on the firm’s website on January 17, 2022, there was unusual activity detected on the company network on September 14, 2021. The discovery prompted an unspecified response by the firm and an investigation.
On October 13, 2021, preliminary findings revealed that hackers accessed and potentially copied information in network folders between September 9-14, 2021. Further investigations determined that these folders contained names and Social Security numbers.
Some files also included information about ambulance trip(s), including date and tracking numbers, service level, payor type(s) and category, mileage information, charge/payment information, billing review information, and remittance advice details which may have included medical information.
Under HIPAA regulations, this CPA HIPAA breach likely contained PHI. If so, FML is required to notify affected individuals in writing within 60 days of the breach. The HIPAA Breach Notification Rule also requires reporting any breach that affects 500 or more individuals to the HHS Secretary and local media outlets within 60 days of discovery.
This breach of HIPAA regulated information may be part of a more significant breach that affected nearly 54,000 individuals. A filing with the Office of the Maine Attorney General reported that FML notified consumers on November 24, 2021, of a hacking incident that covered the same time with the same date of discovery.
Response to CPA Breach
In response to the cyberattack, the FML stated that they are, “…reviewing and enhancing existing policies and procedures and implementing additional safeguards to further secure the information in our systems in the future. We reported this incident to federal law enforcement and are also notifying relevant regulatory authorities.”
They also advised individuals who are potentially affected to remain vigilant against identity theft and fraud incidents by reviewing account statements and monitoring free credit reports for suspicious activity and possible errors.
The data breach notice filed with the Maine Attorney General noted that FML offered consumers 24 months of credit monitoring and identity protection through Experian. The updated notice of the CPA HIPAA breach on the firm’s website made no mention of this offering.
Aftermath of CPA Breach
It is most likely that FML was acting as a business associate as defined by the HIPAA law. In this role, FML is responsible for complying with HIPAA Privacy Rule and Security Rule mandates regarding the protection and release of patient PHI.
These responsibilities include regular Security Risk Analysis (SRAs), policies and procedures to establish how PHI data should be handled, and training to ensure all employees understand the requirements for protecting PHI.
Business associate agreements between FML and any covered entity or other business associates must be signed before transfer of PHI.
It is yet to be determined whether any violations of HIPAA regulations occurred in this incident. If OCR investigators find violations, penalties can range from providing additional guidance to substantial fines for serious offenses.
This case underscores the growing risk posed by cybercriminals and the need for businesses who must operate under HIPAA regulations to be even more vigilant about their compliance. A hacking or ransomware incident damages the financial health and reputation of everyone affected.
If the investigation into the incident reveals HIPAA compliance failures, the damage is multiplied. Compliancy Group has experts on staff who can get you compliant, keep you compliant, and help you identify better ways to protect your business.
