Hacking Incident at Billing Vendor Affects 270,000 Patients
A hacking incident at a claims processing company in New York has impacted 270,000 patients of 42 physician practices, which means it likely is one of the largest health data breaches so far this year.
While the investigation is ongoing, Med Associates says it has determined that information on 270,000 patients which may have been accessible from the workstation includes patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes and insurance information, including insurance ID numbers.
Several different attack vectors can lead to workstation compromise, notes Keith Fricke, partner and principal consultant at tw-Security. “Whether it be phishing attacks tricking people into opening malware infected attachments or visiting a website harboring malware, protecting workstations with up-to-date operating system and application patches is key,” he says.
“Having defense-in-depth measures to filter and block websites and email helps reduce risks as well. Sometimes criminals trick people into thinking they need online computer support from an unknown party, leading to workstation compromise.”
Recurring workforce training also is important, Fricke says. “Keeping security awareness top of mind helps prevent lax practices from creeping back into personal and work habits involving access to sensitive information.”
The Med Associates breach spotlights again the risks to patient data posed by vendors.
“Obtaining reasonable assurances from your business associates extends well beyond getting them to sign your business associate agreement,” says Susan Lucci, senior privacy and security consultant at tw-Security. “Obtain evidence of their compliance with all aspects of HIPAA, in particular, compliance with the security rule and the fact they are educating their workforce on privacy and security practices.”