This recent email data breach affecting a Georgia-based eye care group is yet another indicator that threats to data security are becoming more commonplace for healthcare professionals in every industry. Large-scale data breaches are no longer confined to hospitals and enterprise health systems. It’s more important than ever before for small-to-mid-size healthcare providers to start addressing their data security and HIPAA compliance to avoid data breaches and fines.
EyeSouth Partners reported a data breach that allowed a hacker to gain access to an employee’s email account, resulting in a breach of approximately 24,000 patients’ electronic protected health information (ePHI).
EyeSouth Partners is a business associate of Georgia Eye Associates, South Georgia Eye Partners, Cobb Eye Center, and Georgia Ophthalmology Associates. A HIPAA business associate is any individual or entity that may encounter protected health information (PHI) on behalf of covered entities (PHI is any form of information that can be used to identify a patient). On October 25, 2018, EyeSouth Partners recognized that an unauthorized individual gained access to an employee’s email account.
Since EyeSouth Partners is a business associate to these four entities, that means that the organizations should have executed a business associate agreement (BAA). A business associate agreement outlines what business associates can or cannot do with PHI that they have access to, how they will protect that PHI, how they will prevent PHI disclosure, and the appropriate method for reporting breaches if one does occur.
Business associate agreements also help protect healthcare providers in the event of a data breach. In email data breaches like this one, it’s common for providers to be held liable for data breaches that were caused by a business associate. That’s why business associate agreements are so essential–not only do they ensure that data is protected properly, they also serve to protect against liability in the event of a breach.
The HIPAA Omnibus Rule was enacted into 2013. This new HIPAA rule made several changes to HIPAA compliance requirements, specifically for business associates. The Omnibus Rule states that a business associate agreement must be executed prior to the exchange of any data with a business associate. Additionally, covered entities (such as healthcare providers) must prove that they have done due diligence about the status of a potential business associates’ HIPAA compliance and data security capabilities.
The Omnibus Rule also requires that all business associates must be HIPAA compliant if they are handling, managing, or transmitting PHI or ePHI in any way.
EyeSouth Partners and the four organizations should have executed business associate agreements prior to any PHI being shared. If this was instituted, it would have shown both parties had done their due diligence and protected their data from this email data breach.
The investigation into the email data breach concluded that the hacker first gained access to the email account on September 11, 2018, and that the email remained accessible until October 25, 2018. The email account was secured quickly after EyeSouth Partners became aware of the breach. Procedures were also implemented for security purposes to prevent any future data breaches.
Third-party computer forensics assisted with the investigation and determined that patients from Georgia Eye Associates were mainly affected by the data breach. On December 19, 2018, EyeSouth Partners discovered that the hacker potentially accessed emails that contained ePHI of those patients.
The information in the emails may have included: addresses, telephone numbers, email addresses, insurance provider names, summaries of charges and account balances, among other identifiable information.
All patients affected by the breach have been notified and offered complimentary credit monitoring services.