In emergency medicine, an ambulance may be the first provider to see a patient – at home or at the scene of an accident. Emergency Medical Service (EMS) providers are covered entities and are required to comply with HIPAA.

Three notable cybersecurity events this year highlight how EMS is vulnerable to health privacy concerns. Two covered entities and one business associate experienced ransomware attacks, and the breach of protected health information (PHI).

• Empress Ambulance Services LLC, a New York-based ambulance company reported an apparent ransomware breach on September 9 to the Department of Health and Human Services’ Office for Civil Rights (OCR), as affecting nearly 319,000 individuals.
• Bryan County Ambulance Authority in Oklahoma began on May 18, 2022 notifying patients of a ransomware attack it experienced seven months earlier, in November 2021. The ambulance authority reported the breach to the OCR the same day. According to the OCR data breach portal, the incident affected 14,273 individuals. Note that the HIPAA Breach Notification Rule requires covered entities to report healthcare data breaches within 60 days of discovery.
• Massachusetts-based Comstar, LLC reported a hacking breach to OCR in May as affecting nearly 69,000 individuals – this breach is now the subject of at least two proposed class action lawsuits that were recently consolidated in a Massachusetts federal court. Comstar is a HIPAA business associate that provides billing, collection and other services to municipal and non-profit ambulance companies.

Emergency service agencies in medicine are typically not large and well-funded. They tend to be smaller, localized organizations serving a specific geographic area. Many are municipal entities or non-profit, with funding provided by taxes and/or user fees, insurance reimbursement or grants. Even with funding challenges, they are still expected to follow HIPAA privacy law, and maintain safeguards to protect the privacy and security of patient data.

Comstar, the billing services business associate, is larger than most EMS agencies and has customers in several states in New England. As noted, it now faces a class action lawsuit brought by a Rhode Island resident alleging Comstar was negligent in failing to secure consumers’ private information leading to the March 2022 data breach.

OCR Enforcement of EMS

All three events will be investigated because OCR investigates all health data breaches affecting more than 500 individuals. And OCR has not hesitated to go after EMS agencies in the past. In December, 2019 OCR announced that West Georgia Ambulance, Inc. in Atlanta would pay $65,000 to settle an investigation into failures to follow HIPAA. In that case the agency lost an unencrypted laptop, exposing PHI of 500 patients. When OCR investigated, they found numerous HIPAA violations throughout the agency, and when OCR offered technical assistance, the agency did not take meaningful steps to correct them.

HIPAA is a Blueprint for Reducing Exposure

You can avoid investigations and fines by following HIPAA in the first place. Have policies and procedures, conduct a HIPAA Risk Analysis, and train the workforce on maintaining the required HIPAA safeguards. If OCR comes calling, cooperate.