Two recent breach reports affecting over 33,000 individuals may be the tip of the iceberg in a hack that originated at Choice Health Insurance in May 2022. The Maine Attorney General office shows breach reports filed on September 21, 2022 by Humana and on September 30, 2022 by Anthem MaineHealth, both linked to Choice Health. An earlier breach report linked to Choice Health was submitted to the California Attorney General on June 8.
A third-party vendor is the hub of a wheel, with spokes connected to multiple customers. Choice Health Insurance, for example, is an independent insurance broker and HIPAA business associate offering health insurance options to individuals nationwide. Based in South Carolina, it contracts with health plans across the country, collecting protected health information (PHI) from thousands of individuals seeking health insurance. Choice Health is now part of Alight Solutions.
Some of the plans offered by Choice Health are from household names in health insurance: Humana, WellCare Health Plans, Anthem BlueCross BlueShield, Mutual of Omaha, United Healthcare, Cigna and Aetna. Choice Health also offers plans through healthcare.gov. Choice Health Insurance employs more than 130 individuals and generates approximately $33 million in annual sales.
Breach Notification Report
The California breach report explained that Choice Health learned on May 14, 2022 that “an unauthorized person was offering to make available data allegedly taken from Choice Health.” Apparently, on May 18 they discovered that, “due to a technical security configuration issue caused by a third-party service provider, a single Choice Health database was accessible through the Internet.” The hacker broke through to the database “and obtained certain database files on or about May 7, 2022.”
The files contained information such as first and last names, Social Security numbers, Medicare beneficiary identification numbers, birth dates, addresses and contact information, and health insurance information.
How Many Were Affected?
It is unclear how many individuals’ data were exposed. The California breach report did not reveal how many, and as of today’s date the incident has not appeared on the HHS’ Office for Civil Rights’ breach reporting portal, so we are unable to confirm the total. The number is at least 33,000, based on the two Maine reports noted above, but will likely climb higher.
In June, DataBreaches.net noted that the dark web forum offering the Choice Health data for sale said “600MB of data had been obtained, spread across 2,141,006 files, which were described as having names such as ‘Agents, Commission, Contacts, Policies.'”
Liability and Risks
OCR investigates all breaches that affect more than 500 individuals. But State attorneys general are also becoming more active investigating healthcare data breaches. At a minimum, Choice Health Insurance will be investigated, but questions may run up the chain to the health plan covered entity customers, depending on what OCR learns. OCR will review Choice Health’s business associate agreements and may find that the covered entity health plans did not conduct due diligence to confirm that Choice Health had adequate HIPAA safeguards to protect patient data.
Class Action Lawsuits are Brewing
At least three law firms are advertising their services to represent individuals affected by the Choice Health breach. HIPAA does not provide individuals a private right to sue for HIPAA violations, but lawsuits may be brought under state privacy or consumer protection laws alleging negligence or breach of contract. These lawsuits are becoming more common in larger breaches, and some are settling for large dollar amounts. A very recent settlement is one for $1.43 million by Magellan Health for alleged negligence in preventing a phishing attack that compromised the privacy of 273,000 individuals.
Stem the Tide by Following HIPAA
The Choice Health breach is just the latest in a string of headlines about business associate data breaches. The reason these breaches have skyrocketed is a simple numbers game. Criminals know that one successful business associate attack yields PHI from hundreds of covered entities.
In a sense, business associates are just couriers and covered entities are the real targets. Covered entities need to take business associate due diligence seriously. A covered entity that entrusts PHI to a business associate without confirming the business associate has a HIPAA compliance program in place risks being found responsible for ‘willful neglect’, subject to the highest HIPAA civil monetary penalties.
Ask whether the business associate has conducted a HIPAA risk analysis, review whether business associate agreements are in place. Both covered entities and business associates should have legal counsel review the agreements to ensure they are up to date and provide the terms they require.
HIPAA compliance fights back against cyber crime. Comply now, before a bad event happens – do a risk analysis and manage your risks year round – it’s easier and much less expensive than investigations and lawsuits. Whether you’re a health plan, a provider or a business associate, The HIPAA E-Tool® has answers about what HIPAA compliance can do for you.