Another day, another data breach … this time involving a business associate in charge of medical records storage, Sharecare Health Data Services (SHDS).
AltaMed Health Services (AltaMed) and California Physicians Services (doing business as Blue Shield of California (BSC)) recently received notice that a hacker was able to acquire and/or access patients’ protected health information (PHI) contained in the medical records kept by SHDS on behalf of the two healthcare entities. The breach of AltaMed’s data was discovered on June 22, 2018, and the breach for BSC was discovered a few days later on June 26, 2018. Upon investigation, officials determined that both breaches went undetected for over a month and actually began on May 21, 2018. SHDS did not notify AltaMed or BSC of the breach until December 31, 2018. The exact number of affected individuals is not yet certain but is at least into the tens of thousands.
This is another example of why covered entities need to stay vigilant, not only of their own compliance but also that of their vendors who may have access to PHI. Even though the breach occurred at the business associate and not the covered entity, the covered entity is still responsible for providing notice to affected individuals, which often requires significant money and resources. Breaches caused by business associates can lead to costly investigation, notification, and mitigation efforts for covered entities. Therefore, covered entities should work to ensure that they have the following:
Business associate agreements with all vendors handling PHI
Contractual protections, including indemnification provisions
Cyberliability insurance coverage and understand coverage pertaining to breaches by vendors
HIPAAcraticRX provides tools, training, documentation and support to both covered entities and business associates, to make sure you and your vendors are covered at all times. To read this article in its entirety, visit The National Law Review.