2 Vendor Hacks Affect Nearly 1.5 Million and CountingThe Business Associates Also List Dozens of Affected Covered Entity Clients
Two hacking incidents involving vendors providing IT-related and other services to dozens of covered entity clients demonstrate how mounting reliance on third parties creates increased risk to patient data.
One incident involves Avamere Health Services LLC, a business associate providing IT services to healthcare entities. The other originates with OneTouchPoint, a company providing printing and mailing services to health insurers.
They each join a number of other large health data hacks reported so far this year by critical vendors affecting a growing list of their healthcare sector clients and their patients (see: At Half-Year Mark, Ransomware, Vendor Breaches Dominate).
"The trend of third parties being compromised for health records they hold on behalf of covered entities will not abate anytime soon, and in fact seems to be increasing," says Michael Hamilton, CISO of security firm Critical Insight.
The Avamere, Infinity and OneTouchPoint incidents follow a growing tally of other business associates reporting major data security incident this year.
So far, the two single largest HIPAA breaches posted on the HHS OCR website this year involve vendors.
That includes a data exfiltration incident reported by medical imaging services provider Shields Health Care Group that affected 2 million individuals. The HHS "wall of shame" also shows dozens of 2022 breaches affecting a total of nearly 3 million individuals reported by covered entity clients of cloud-based electronic health record vendor Eye Care Leaders, which detected a hacking incident late last year.
"The lesson to be learned from these events is that vendors with access to [patient] records are being targeted, and the legal language between business associates and covered entities should recognize and accommodate this fact," Hamilton says.
"We are probably moving into changes to these relationships that involve auditable controls and not just assertions," he adds. "Third-party security - especially in the health sector - has come very much into focus as a bit of a blind spot."
The Avamere Health Services hacking incident has so far resulted in two related health data breaches affecting nearly 100 covered entities and a total of nearly 381,000 individuals being reported to federal regulators.
Avamere Health Services is part of the Wilsonsville, Oregon-based Avamere Family of Companies, which operates dozens of senior living and healthcare facilities in Oregon.
Avamere on July 13 reported to the Department of Health and Human Services a hacking incident involving a third-party network server and affecting nearly 198,000 individuals. Avamere in its breach notification statement posted on its website lists about 80 covered entity clients - mostly part of the Avamere family of companies - affected by the incident.
Intermittent unauthorized access to a third-party hosted network utilized by Avamere occurred between Jan. 19, and March 17, the company says.
Affected information included full names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical diagnosis/conditions information.
Affected covered entities include senior living and healthcare facilities, such as hospices and assisted living facilities.
In addition to Avamere's report to federal regulators about the hacking incident, so far at least one of Avamere's covered entity clients not listed in Avamere's breach notification statement - Oregon-based Premere Rehab, LLC, which operates under the name "Infinity Rehab" - separately reported the incident to HHS' Office for Civil Rights as affecting another 183,000 individuals.
Infinity, which is also part of the Avamere family of companies, in its breach notification statement lists about 15 of its own covered entities clients affected by the Avamere incident.
Neither Avamere nor Infinity immediately responded to Information Security Media Group's request for comment and additional details about the incident.
In addition to the Avamere/Infinity incident, Wisconsin-based OneTouchPoint, a vendor that provides printing and mailing services, is reporting an apparent ransomware incident affecting more than three dozen of its health insurer clients - and nearly 1.1 million individuals, according to a breach report submitted by the company to Maine's attorney general on July 27.*
As of Monday, a report involving the OneTouchPoint incident did not yet appear on the HHS OCR HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals. But once it is added, it will rank among the largest health data breaches reported so far this year to federal regulators.
In a notice posted on its website, OneTouchPoint says that on April 28, it discovered encrypted files on certain computer systems.
Unauthorized access to certain OTP servers began on April 27, the statement says. The company says the affected systems contained information provided by its health insurer customers, but it is unable to determine definitively what personal information was accessed by the unauthorized actor.
The scope of information potentially affected by the incident includes name, member ID and information that may have been provided during a health assessment, OneTouchPoint says.
The company on its notification statement lists 38 health insurer clients affected by the incident.
OneTouchPoint did not immediately respond to ISMG's request for additional information pertaining the incident.
Addressing Third-Party Risk
Regulatory attorney Paul Hales of the Hales Law Group says the Avamere and Infinity breaches apparently originated at an unidentified Avamere subcontractor providing hosting services.
"HIPAA requires a documented 'chain of trust' running from covered entities to business associates to subcontractor BAs. A breach at any weak link in the chain can cause a breach," he says. "Chances of a breach increase as the chain gets longer."
Large BAs often rely on generic IT security procedures that meet some, but not all HIPAA requirements, resulting in self-assured complacency, he says. "Common failures include inadequate risk analysis, risk management and regular technical and nontechnical security evaluations."
Business associate HIPAA compliance is the healthcare industry's Achilles' heel, he says. "Initially business associates were not directly liable for HIPAA compliance so they are late to the game," he adds.
*Updated Aug. 1, 2022 21:18 UTC to reflect the number of individuals affected by the OneTouchPoint breach as reported by the company to Maine's attorney general.