On May 13, 2019, security researcher Bob Diachenko discovered the database for MedicareSupplement.com on the internet, and informed the company of the data breach. Although he never received a response from the company, the database has since been secured and is no longer available.
MedicareSupplement.com, is a platform that allows consumers to find affordable insurance plans to supplement their existing insurance. To customize insurance offerings and provide quotes, the site collects a wealth of personal information on its users. The information is then stored in a marketing database.
The database that was accidentally left vulnerable, exposed 5 million users’ personal health information (PHI), 239,000 of which included insurance information. Exposed data included names, phone numbers, addresses, email addresses, IP addresses, birthdates, gender, and insurance information (life, auto, health, and supplemental). Since the database wasn’t encrypted, hackers may have deleted or altered data.
The Office for Civil Rights (OCR) mandates under the Health Insurance Portability and Accountability Act (HIPAA), that organizations that experience a breach, must report it in a timely manner.
Breach Notification Rule
This massive breach is considered a “meaningful breach” under HIPAA law, meaning that it affected more than 500 individuals. As part of HIPAA’s Breach Notification Rule, a “meaningful breach” must be reported to the Department of Health and Human Services (HHS), the media, and affected individuals within 60 days of discovery. Companies that experience a “meaningful breach” are also subject to public scrutiny by being listed on HIPAA’s “wall of shame.”
In the event of a “non-meaningful breach,” affecting less than 500 individuals, an organization has until the end of the calendar year to report the incident. The organization, however, has no obligation to report the breach to the media.
With data breaches in healthcare on the rise, it is vital to an organization’s success to implement cybersecurity practices that protect PHI. Without proper security safeguards in place, an organization is vulnerable to cyber attacks, and therefore subject to a HIPAA audit as well as damage to their reputation.
Need Help with HIPAA Compliance and Cybersecurity?
Compliancy Group gives healthcare providers and vendors working in healthcare the tools to confidently address their HIPAA compliance in a simplified manner. Our cloud-based HIPAA compliance software, The GuardTM, gives healthcare professionals everything they need to demonstrate their “good faith effort” towards HIPAA compliance.
To address HIPAA cybersecurity requirements, Compliancy Group works with IT and MSP security partners from across the country, who can be contracted to handle your HIPAA cybersecurity protection.