Information compromised by the incident affected Woodcreek Provider Services employees, providers, applicants, contractors and patients who received services from MultiCare and/or Woodcreek Healthcare. Information potentially compromised included full names, dates of birth, social security numbers, student identification numbers, health insurance policy numbers, bank account numbers (from direct deposit forms and voided checks), resumes, transcripts, performance appraisals, criminal background check reports, court documents related to garnishments, court orders and decrees, copies of diplomas, degrees, board certifications, Drug Enforcement Agency certificates, payroll withholding authorizations for 401k elections and insurance deduction authorizations, benefit enrollment forms, payroll tax forms (W2s, W4s, 1095s, & K1s), and employee health information, including vaccination records, on-the-job injury reports and safety incident reports.
Importance of Vetting Business Associates
This healthcare data breach, along with several other breaches of late, point to the importance of vetting your business associates. Business associates vulnerabilities are ultimately yours. So before choosing a business associate, it is important to assess their cybersecurity and HIPAA compliance.
This is accomplished by sending business associates a questionnaire that is much like the risk assessment that you are required to complete to comply with HIPAA. Additionally, HIPAA requires you to have signed business associate agreements (BAAs) with your business associates before it is permitted to share PHI with them. A BAA is a legal agreement that requires each signing party to be HIPAA compliant, and be responsible for maintaining their compliance. Without a BAA, should your business associate experience a breach, you would be held liable.