Hack on a Services Firm's Vendor Affects 271,000 PatientsBreach Is Latest in Long List of Complex Vendor Incidents
An Oklahoma-based provider of administrative and technology services to healthcare organizations is notifying more than 271,000 individuals that their personal information may have been compromised in a hacking incident involving a third-party data storage vendor.
The breach is the latest in a long and growing list of major health data security incidents reported to regulators in 2022 involving vendors and sometimes very complicated third-party relationships.
Avem Health Partners - itself a third-party provider of IT services to healthcare entities - in a breach report filed on Dec. 13 to the state of Maine's attorney general's office - says that patient information stored on servers of one of its vendors was subject to unauthorized access in an external hacking incident in May.
Avem, in a breach notification statement posted on its website, says "it was notified of a data security incident experienced by 365 Data Centers, a data storage vendor used by a third-party service provider engaged by Avem."
Scott Mendeloff, an attorney representing 365 Data Centers, in a statement to Information Security Media Group Tuesday evening, says that Avem's filing with the Maine attorney general’s office "alleges that Avem was the customer of another (unnamed) entity that allegedly was a 365 customer."
But Avem’s Maine filing "fails to include the fact that on July 13, our client 365 notified all its affected clients that a highly reputable independent third-party cybersecurity firm had examined 365’s systems and attested 'with a very high degree of confidence [that 365’s] cloud environment's connected devices contain no malware and that there is no evidence of unauthorized access to or exfiltration of data' from the 365 system," he says.
"In other words, if Avem data had been in the 365 cloud environment, the cybersecurity expert found no indication that those data had been accessed or removed," he says.
Avem did not immediately respond to ISMG's request for additional details and clarification about the breach, including how many of Avem's healthcare entity clients were affected.
Affected Avem files contained patient information, including names, birthdates, Social Security numbers, driver's license numbers, health insurance information, and diagnosis and treatment information.
Avem is offering affected individuals one year of complimentary identity and credit monitoring. The company also says it is examining its vendor relationships and evaluating vendors' security measures.
As of Tuesday, the Avem incident did not yet appear on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Business associates were at the center of nearly 40% of this year's reported breaches, so far.
"It may be prudent to reconsider how regulated entities are framing their contractual protections and exposure with regard to vendors," says regulatory attorney Brad Rostolsky of the law firm Reed Smith.
"More attention will need to be paid to business associate agreement indemnity provisions, and I suspect that there will be or should be a harder push to employ vendor security questionnaires and vendor audits."
Several common themes have emerged in many of the major vendor breaches reported in 2022, says regulatory attorney Rachel Rose.
Among them is the importance of entities obtaining reasonable assurance through due diligence that a business associate has adequate technical, administrative and physical safeguards in place, she says.
That includes during a merger and acquisition. "Not conducting adequate due diligence [can] potentially lead to a breach and associated financial and reputation costs," she says.
Looking ahead to the New Year, ransomware and phishing attacks will continue to represent critical areas of exposure to the healthcare industry, Rostolsky predicts.
"I would not be surprised if we start seeing more commercial lawsuits filed by covered entities against vendors that did not institute an adequate security program," he says. "I could also see a push to include express terms in large vendor contracts that more easily enable a breach of contract claim for failing to implement certain security protections."
Update Dec. 21, 2022 1:42 pm UTC: Adds statement from Scott Mendeloff, attorney representing 365 Data Centers.