HIPAA business associates be warned: your email accounts are a prime target for hackers.
A review of the five largest data breaches at business associates so far this year shows a pattern – all five center on email.
In some cases, the compromise of a single email account exposed personal information for tens-of-thousands of people.
Phishing attacks caused three out of five of the breaches.
Not enough is known publicly about the remaining two to determine a cause – but all five breaches hit the same location: email.
Here are the five biggest business associate breaches in 2019 to date, according to the HIPAA Breach Portal.
On October 11, Centerstone realized a hacker had used phishing attacks to gain access to several employee email accounts.
The breach went undiscovered for four months, beginning in June 2018.
“Emails in the affected mailboxes may have included names, addresses, social security numbers, dates of birth, bank account numbers, and information relating to payment of insurance premiums,” according to a data breach notice letter sent to the New Hampshire Attorney General.
Centerstone (doing business as BenefitMall) provides services for employee payroll and benefits, including the administration of health insurance benefits.
This is the seventh-largest HIPAA breach reported in 2019 so far, according to the breach portal.
A hacker used a phishing attack on July 30 to breach employee email accounts at LCP Transportation. The breach was not discovered until Sept. 7, when the accounts were disabled.
The types of data exposed include insurance ID number, address, date of birth, date of service, and description of medical conditions.
LCP is a business associate and provider of transportation services Managed Health Services (MHS) of Indiana. MHS learned of the breach on Oct. 29 and notified its members in December, according to a news release.
However, LCP’s spot on the HIPAA Wall of Shame lists the breach submission date as March 25. This suggests a delay of more than six months before authorities were notified of the associate’s breach.
The compromise of a single employee email account at Superior Dental Care (SDC) caused a data breach affecting more than 38,000 people.
SDC, a dental plan provider, detected suspicious activity in the email account on Jan 23. Further analysis revealed an unknown party had accessed to it since Dec. 21, according to a breach disclosure notice.
Data in the account’s emails included names, addresses, social security numbers, payment information, and medical information related to dental services.
Although reports of the breach do not cite a specific cause, many similar events are caused by email phishing attacks.
In yet another example of an email-based compromise, EyeSouth discovered an unknown individual had access to an employee email account for more than a month, exposing the personal records of more than 24,000 people.
EyeSouth is a business associate and provider of management services to Georgia Eye Associates, a healthcare provider.
The breach was discovered on Oct. 25 and exposed data of Georgia Eye Associates patients, including names, patient IDs, phone numbers, email addresses, names of health insurance carriers, and account balance information.
Again, not enough is known about the breach to determine its cause, but such events are often the result of phishing attacks.
Women’s Health USA (WHUSA) was hit by a “phishing attack in which a cybercriminal tricked some WHUSA employees into providing their email account credentials,” according to a breach disclosure notice.
Two employee email accounts were compromised, and the data exposed included “dates of birth, Social Security numbers, Medicare claim numbers, health insurance policy numbers, diagnoses, and treatment information,” according to the disclosure.
If you serve clients in healthcare, ask yourself, for each one of your employees with an email account, do you trust them with the fate of your business?
That may seem like hyperbole, but the fallout of a HIPAA breach can be severe.
Business associates are required to notify their partnering care providers (aka “covered entities”) within 60 days after a breach is discovered.
Associates can also be saddled with the responsibility of notifying all affected individuals, a group that can number in the hundreds-of-thousands.
“While the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate,” according to the U.S. Dept. of Health and Human Services.
After a breach, business associates can also be listed on the HIPAA Wall of Shame and hammered with expenses, including the cost of:
Remember: it takes only one successful phishing email to trigger a potentially crippling HIPAA breach – so train your employees to spot phishing attacks and handle patient data with extreme care.
Cyber Mistakes in Healthcare: Vulnerabilities and Misconfigs.
HIPAA Compliance Ignored by Healthcare Lawyers