The protected health information (PHI) of more than 30,000 US patients may have been exposed in a data breach involving Managed Health Services (MHS) of Indiana.
The breach occurred when unauthorized persons accessed employee email accounts at LCP Transportation, a partner of MHS, according to a recent security alert from the organization. MHS serves Indiana residents through the Hoosier Healthwise and Hoosier Care Connect Medicaid programs.
The system was accessed sometime between July 30 and September 7, 2018 and was caused by a phishing attack on LCP’s systems, MHS said. A phishing attack is a type of security breach that is triggered when an employee or someone within an organization receives a duplicitous email from a hacker containing an infected link. When the link is clicked, the employee’s computer–or your entire network–can become infected with malware. The hackers then have access to information that is stored within your network. These types of attacks can be especially damaging if data encryption has not been implemented. Phishing attacks can go undetected for long periods of time without proper cybersecurity measures in place.
The PHI that may have been accessed in the email accounts includes names, insurance ID numbers, addresses, dates of birth, and description of medical conditions, MHS said after investigating the data breach.
Third-Party Perils
There is no evidence that the information has been misused, according to MHS, but the breach underscores the risks associated with organizations sharing PHI with external service providers. Any third-party with whom PHI is shared is considered a business associate under HIPAA regulation. Business associates are required to be HIPAA compliant in order to safeguard the sensitive PHI that they maintain.
Personal information of more than 2.5 million people was compromised in a security breach, according to a statement released by Atrium Health in November 2018. The breach was a result of unauthorized persons gaining access to a patient database hosted by AccuDoc Solutions, a third-party business associate providing payment processing solutions.
“We’re seeing data breaches caused by HIPAA business associates at an alarming rate for healthcare organizations of every size and scope across the country,” said Marc Haskelson, President and CEO of Compliancy Group.
He continued, “HHS OCR has demonstrated time and again that it will enforce HIPAA penalties on providers who have experienced a third-party data breach, even if they aren’t ultimately responsible for the breach! That’s why it’s crucial to have a thorough and complete HIPAA compliance program in place to vet your third-party vendors and business associates against the standards of the regulation.”
At 31,300, the number of potentially-impacted patients is relatively small compared to the Atrium breach. However, all breaches affecting at least 500 individuals must be publicly flagged and reported to HHS as required by the US HITECH Act.
Because of this, MHS has the “honor” of being the first healthcare organization to be listed on the 2019 “HIPAA Wall of Shame.”