Dental Care Alliance announced a breach affecting hundreds of their clients. More details on the dental care vendor breach are discussed.
What Caused the Dental Care Vendor Breach?
Dental Care Alliance (DCA) provides practice support for 320 dental practices across 20 states. Recently, they announced that they had suffered a healthcare hack that allowed unauthorized access to their network. The dental care vendor breach is the second-largest breach reported in 2020.
The month-long network hack, lasting from September 18 to October 13, allowed an unauthorized entity to access the protected health information (PHI) and credit card information of 1 million patients. Although the investigation into the dental care vendor breach is ongoing, PHI potentially compromised in the incident includes patient names, contact details, dental diagnoses, treatment information, patient account numbers, billing details, dentists’ names, bank account numbers, and health insurance data.
In response to the incident DCA has assessed its network security, implemented mandatory password resets, upgraded its security systems, and provided additional cybersecurity training to employees.
What Happens When Your Business Associate is Breached?
When one of your business associates experiences a breach, not only does it potentially compromise your patients’ PHI, it can also lead to additional ramifications. As a healthcare organization it is your obligation to ensure that your business associates adequately secure your organization’s PHI. As such, you must vet your vendors before you share PHI with them.
A vendor questionnaire, similar to a security risk assessment, assess your potential vendor’s security measures against HIPAA standards. The vendor questionnaire is meant to find gaps in the business associate’s security measures, any gas found should be addressed with remediation efforts before you share PHI with them.
In addition, HIPAA requires you to have a signed business associate agreement (BAA) with your business associate before contracting them to create, maintain, store, transmit, or receive PHI on your behalf. A BAA dictates the security measures that the business associate is required to have in place, and requires each singing party to maintain their HIPAA compliance.
If you fail to send your business associate a vendor questionnaire, or have a signed BAA with them, should they experience a healthcare breach you will be held liable for any security deficiencies found. This can lead to costly fines, reputational damage, and corrective action plans.
