Woodcreek Provider Services suffered a healthcare ransomware cyber attack affecting 200,000 patients. More details are discussed.
Woodcreek Provider Services Healthcare Ransomware Attack
Netgain Technology, a business associate of Woodcreek Provider Services, suffered a healthcare ransomware attack that compromised protected health information (PHI). The healthcare cyber attack affected not only Woodcreek Provider Services, but also Woodcreek Healthcare and Multicare, among others. The healthcare ransomware attack ultimately affected 8,700 of Netgain Technology’s family health division clients.
Woodcreek has sent data breach notification letters to affected healthcare patients, and posted a breach announcement to their website. Woodcreek stated, “Woodcreek’s information technology vendor, Netgain Technology, experienced a data breach secondary to a ransomware attack. According to Netgain Technology’s investigation, the breach occurred sometime between November 24 and December 3, 2020, although it is possible that access to Netgain’s systems was as early as September 2020.”
Information compromised by the incident affected Woodcreek Provider Services employees, providers, applicants, contractors and patients who received services from MultiCare and/or Woodcreek Healthcare. Information potentially compromised included full names, dates of birth, social security numbers, student identification numbers, health insurance policy numbers, bank account numbers (from direct deposit forms and voided checks), resumes, transcripts, performance appraisals, criminal background check reports, court documents related to garnishments, court orders and decrees, copies of diplomas, degrees, board certifications, Drug Enforcement Agency certificates, payroll withholding authorizations for 401k elections and insurance deduction authorizations, benefit enrollment forms, payroll tax forms (W2s, W4s, 1095s, & K1s), and employee health information, including vaccination records, on-the-job injury reports and safety incident reports.
Importance of Vetting Business Associates
This healthcare data breach, along with several other breaches of late, point to the importance of vetting your business associates. Business associates vulnerabilities are ultimately yours. So before choosing a business associate, it is important to assess their cybersecurity and HIPAA compliance.
This is accomplished by sending business associates a questionnaire that is much like the risk assessment that you are required to complete to comply with HIPAA. Additionally, HIPAA requires you to have signed business associate agreements (BAAs) with your business associates before it is permitted to share PHI with them. A BAA is a legal agreement that requires each signing party to be HIPAA compliant, and be responsible for maintaining their compliance. Without a BAA, should your business associate experience a breach, you would be held liable.
