Ransomware, Vendor Breaches Spike on Federal Tally
Analysis of Latest Major Health Data Breaches Posted to HHS OCR Website
… “Vendor data breaches in healthcare are running higher in 2021 than we’ve seen in previous years,” says Susan Lucci, who tracks breach trends as a senior privacy and security consultant at consultancy tw-Security.
“In the second quarter of 2021, nearly 70% of all the individuals impacted by large data breaches as reported to HHS were caused by business associates,” she notes.
… Long lags that sometimes occur between a business associate discovering a data security incident and the determination that the PHI of their clients’ patients was compromised in the event adds to the risks posed by vendors, according to Lucci.
“The process of determining whether an unauthorized access has taken place can take a relatively long time,” she says.
For instance, in the case of Lifelong and Netgain, it appears to have taken approximately three months before Netgain determined that data had been compromised, Lucci notes.
“Then, it wasn’t until nearly six months later before Lifelong determined that significant PHI and personally identifiable information had been compromised.”
The takeaway is that business associate agreements must require notification within a very short period of time, such as five business days, and should also include similar requirements for any subcontractors of the business associate, she suggests.
“The notification process to both individuals and HHS have time constraints,” Lucci adds.
“Having to notify individuals that a data breach has occurred is something that no healthcare organization wants to do. But doing so many months after the breach took place can be even more troublesome.”