The data breach experienced by American Medical Collection Agency (AMCA), a third-party bill-collection vendor for the health institutions, affected 17 health institutions including the United States’ biggest lab testing companies, Quest and LabCorps. The incident came to light in early June.

Hackers exploited a vulnerability in AMCA’s web payment portal, the company’s database filled with customer’s personal and payment information. Overall, more than 24 million customers were affected. Attackers gained access to sensitive patient information including names, addresses, phone numbers, dates of birth, dates of service, balance information, payment card or banking information, social security numbers, and personally identifiable medical information.

Figure 1: Affected Institutions and the Size of the Potential Breach
Figure 1: Affected Institutions and the Size of the Potential Breach

Third-Party Data Breaches in Healthcare

The healthcare industry requires many types of third-party service providers and vendors, especially those related to information technology and management. Health insurance companies, medical equipment suppliers, imaging centers, marketing companies, data-management companies, and website/email providers are all potential third parties for the healthcare industry.

The healthcare industry is constantly under attack due to the valuable sensitive information recorded by providers. Attackers can find a pivot point into a healthcare provider’s systems through these third parties, gaining access to sensitive data. Black Kite examined more than 40 major data breaches that occurred in 2017 and showed that third-party vendors are the second most frequent reason behind a breach after phishing attacks. Some of the recent data breaches caused by a third-party in the healthcare industry are:

  • March 2019: Wolverine Solutions Group (WSG) was attacked by malware injection. The malware affected many other institutions other than WSG, including Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health in southwestern Michigan, North Ottawa Community Health System in Grand Haven, and at least two hospitals in northwestern Pennsylvania – Warren General Hospital and the University of Pittsburgh Medical Center Kane.
  • March 2019: Rush University Medical Center suffered a data breach through Rush’s third-party financial services vendors that affected 45,000 patients.
  • December 2018: Indiana Health Group has been breached by a phishing attack on a third party, caused a breach of 31,000 patient records.
  • September 2018: Baylor Scott & White Medical Center discovered an error that caused data leak in a third-party vendor’s credit card processing system. The breach has impacted approximately 47,000 patients.
  • November 2018: Hackers gained access to AccuDoc Solutions Inc., which provides billing services to Atrium and about 50 other hospitals and health-care systems. 2.65 million patient records including names, addresses, dates of birth, invoice numbers, account balances, dates of service, insurance policy information and Social Security numbers were compromised.
  • August 2018: Back-up pharmacy services provider MedCall put a 7GB cache of data included  medical information  in an unsecured Amazon S3 bucket.
  • August 2018: Hova Health, a telemedicine vendor misconfigured its MongoDB database. For this reason, 2.4 million patients’ data was leaked.
  • June 2018: Nuance, the vendor of UC San Diego Health,  discovered that an unauthorized party accessed medical transcription platforms. The breach affected about 45,000 people, including 619 UC San Diego Health patients.
  • February 2018: Orlando Orthopedic’s transcription vendor made a mistake during the software update. Due to this error, access to the database was allowed for two months without authentication. A breach of 19K patient records which included patient names, dates of birth, insurance details, employers and medical treatment resulted.
  • August 2017: A hack of Mid-Michigan Physicians Imaging Center potentially exposed to more than 100,000 patient records.
  • June 2017: A medical-equipment supplier, Airway Oxygen, was hacked and the attackers installed ransomware by holding 500,000 clients’ records hostage.
  • May 2017: iHealth Innovations, a third-party managing the record backups for healthcare providers, caused a breach of tens of thousands (possibly up to millions) of patient records at Bronx-Lebanon Hospital Center in New York City.
  • March 2017: An attack from a third-party vendor system used by Brand New Day (a Medicare-approved health plan) caused a potential breach of 14,000 patients’ information including names, addresses, phone numbers, dates of birth, and Medicare ID numbers of the plan’s members.
  • February 2017: New Jersey Diamond Institute for Fertility and Menopause utilized a third-party server to store electronic health records. But the advantage of having a third-party manage these records turned into a nightmare when more than 14,000 patients’ sensitive information (including names, addresses, birth dates, social security numbers, lab tests, and sonograms) were exposed after a cyber-attack to this server.
  • January 2017: CoPilot, a commercialization support service, experienced unauthorized access to one of its databases used by both healthcare providers and patients. A breach of 220,000 patient records resulted.
  • January 2017: A misconfigured MongoDB database, which contained data from over 200,000 patients and other sensitive information linked to Emory Brain Health Center, was hijacked by hackers looking for ransom money.

3rd-Party Vendors of Healthcare Providers Must Meet HIPAA Regulations

Regulations such as The Health Insurance Portability and Accountability Act (HIPAA), The Payment Card Industry Data Security Standard (PCI DSS), and Europe Union General Data Protection Regulation (GDPR) hold companies responsible for exposures of personal data. Most of these regulations and federal laws consider organizations accountable even if the data breach was caused by a third-party. The Health Insurance Portability and Accountability Act (HIPAA)  is not an exception.

HIPAA aims to protect the health-related and personal information of individuals, including medical records, health insurance data, and patient social security numbers. This type of personal information holds a high value, being profitable in the black market of the dark web. Every year hacking incidents increases and pose a significant cyber risk to healthcare providers [1].

Hacking IT incidents

What is HIPAA take on Third-Party Vendors?

Many healthcare providers and health plans (covered entities) know the consequences of not following guidelines set by HIPAA rules, and consequently, they work hard to comply by protecting data as much as possible. However, some don’t know that their third parties (business associates, partners, subcontractors) should also meet the same HIPAA regulations. As an example, patients’ data is given to a research company (a business associate) and the research company engages a data-management firm (a subcontractor) for data storage. Both the research company as a business associate and data-management firm as a subcontractor must abide by the same HIPAA rules as the healthcare providers and health plans (the outsourcers).

The HIPAA Omnibus Rule

The HIPAA Omnibus Rule of January 2013 set some ground rules for Business associates of covered entities. In part, those associates must:

  • Comply with the applicable requirements of the rule (effective date was September 23, 2013).
  • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
  • Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.

A covered entity may disclose protected health information (PHI) to a business associate under a written contract that includes certain (specific) assurances to comply with stated sections of the rule. This type of arrangement may also be applied by the business associate to its own subcontractors that require access to PHI data.

How Can Healthcare Providers Make Sure that Third-Parties Comply with HIPAA Rules?

Healthcare providers should monitor and assess the cyber risk of their third parties and understand the level of HIPAA compliance required of a third-party vendors. One healthcare provider may have hundreds of vendors and suppliers and any number of those third parties may not be familiar with HIPAA rules.

Black Kite Cyber Risk Scorecard is a security rating tool that helps healthcare providers with this difficult task. The Scorecard provides easy-to-understand risk scores for a company and the ecosystem formed by its third parties. This tool is useful for healthcare providers during both the procurement phase and in ongoing due diligence processes because it provides an understanding of the potential for risk with the third party company. By utilizing the Scorecard to identify known risks, the third-party can correct these issues and provide greater protection for their client data.

Black Kite also provides compliance reports for many national and international standards including HIPAA rules. Once a healthcare provider submits a listing of its third-parties’ domain names, the Cyber Risk Scorecard is developed by conducting a non-intrusive examination of the digital footprint of those providers across the web. Black Kite’s Cyber Risk Scorecard assesses the cyber risk posed by those service provider relationships; and provides an estimate quantifying/ranking the level of compliance assurance of each provider. The Scorecard is based on publicly available, cyberspace information. Healthcare providers can supplement the Scorecard by sharing it with their third-party, allowing the third-party to identify any security gaps or concerns that might be identified through the Scorecard. 

Figure 2: Sample HIPAA Compliance Tab of NormShield Cyber Risk Scorecard
Figure 2: Sample HIPAA Compliance Tab of Black Kite Cyber Risk Scorecard

Healthcare service providers and other vendors do not always know what they need to do to meet HIPAA rules, even if they serve in the healthcare field. A vendor may be more familiar with regulations other than HIPAA. For instance, a vendor that deals with credit card transactions may be more familiar with PCS-DSS, and a vendor that processes EU citizens data may be more familiar with GDPR. Thus, some vendors may not understand HIPAA requirements. Fortunately, Black Kite offers cross-walking between regulations and frameworks, making the task of tracking and meeting requirements easier for both healthcare providers and their third-parties.

Figure 3: Sample NormShield Cyber Risk Scorecard Compliance Overview Report
Figure 3: Sample Black Kite Cyber Risk Scorecard Compliance Overview Report

Black Kite can also correlate information provided by third-parties to their customers (the outsourcers) on other regulations, such as NIST 800-53, PCI-DSS, ISO 27001, COBIT, and GDPR. This information can be used to estimate the level of compliance with HIPAA for a given vendor.

Act now and learn more about your company and it third-parties here.

Figure 4: Sample Black Kite Cyber Risk Scorecard Compliance Dashboard