We were struck by two elements of the recent massive data breach in Broward County Florida. One is that the breach most likely began at a third-party vendor site, reminding us that business associate due diligence is critical to maintaining strong HIPAA Risk Management.
The second thing that stands out is that Broward Health’s breach notice to individuals went beyond the usual advice about identity theft and credit monitoring; the notice also alerted patients to the possibility of medical identity theft and advised that they monitor their explanations of benefits (EOBs) to find out whether their medical identity may be used by a thief committing insurance fraud. We have written about this before, noting that medical identity theft raises concerns of patient safety, and we applaud Broward Health for explaining this risk to the individuals affected by the breach.
We also note that this healthcare data breach is one of the top ten largest occurring in 2021.
The Attack and its Aftermath
On January 1, 2022, Broward Health, which operates over 30 healthcare facilities in Broward County, Florida, began notifying over 1.3 million individuals that a hacker gained access to and removed data from its system on October 15, 2021. Apparently the hacker accessed the data through a third-party medical provider that had been granted access to the Broward Health network for providing healthcare services. The data exfiltrated and compromised included patient and employee names, addresses, dates of birth, driver’s license numbers, Social Security numbers, financial and insurance information. The hacker also gained access to medical information, including medical history, conditions, treatment, and diagnosis information.
The cyberattack was first reported to the Department of Justice which requested Broward Health delay sending breach notification letters to affected individuals so as not to interfere with the law enforcement investigation.
Broward Health says it has taken steps to improve security and prevent similar incidents in the future, including:
- resetting employee passwords
- implementing multi-factor authentication for all users of its systems and
- setting minimum-security requirements for all devices not managed by Broward Health’s IT department that have access to its network
HIPAA Requires Business Associate Due Diligence
Although we don’t know the particular facts of Broward County Health’s third-party vendor (likely a business associate), one can read between the lines and see that security requirements may not have been strong for devices not managed by Broward.
The due diligence requirement is easy to implement. You can review the steps here but it boils down to:
- Identify – list your vendors and decide who is a “business associate”
- Inquire – Ask whether they comply with HIPAA – do they have policies and procedures and have they done a HIPAA Risk Analysis?
- Document your questions and their answers – you need to prove your due diligence
- Enter a written business associate agreement that gives “satisfactory assurances” that they comply with HIPAA and safeguard protected health information
- Reconfirm – periodically revisit with each of them to ensure they still comply
Breach Notification Should Explain All the Risks
The HIPAA Breach Notification Rule requires that covered entities that discover a breach of unsecured protected health information (PHI) must notify individuals affected by the breach “without unreasonable delay” and in no event later than 60 days after discovery (except for delays required by Law Enforcement).
The breach notification should always include warnings about all potential harm not just financial harm.
In addition to financial and credit risks, there is a risk that a patient’s identity will be used by a stranger to obtain insurance coverage or prescription medication. If this happens, the first patient’s medical records will be altered in ways that might be harmful. The way to check this is to review and monitor one’s own medical records and check and verify health insurance explanations of benefits.
Covered Entities are also required to:
- notify media outlets if the breach involved 500 or more individuals
- mitigate harm to each individual affected by the breach
- protect against any further breaches by taking corrective actions, and
- create and maintain documentation of their compliance with the Breach Notification Rule
HIPAA Compliance is the Best Defense
If you plan ahead, follow the steps of HIPAA Risk Analysis – Risk Management, and keep up with the latest HIPAA news you can avoid the costs, the damage to your reputation, and prying eyes of investigators looking into your compliance practices. At The HIPAA E-Tool® answers are at your fingertips.