One cyber attack on a mobile imaging provider has caused healthcare data breaches for at least three rural health systems that use its services. The largest breach so far happened to Sanford Health (21,211 patients affected); also hit were Avera (1,500 patients) and Monument Health (2,500 patients). All three are headquartered in South Dakota. There may be additional providers that haven’t come forward yet.
DMS Health Technologies first reported a security incident on June 16, 2023. DMS provides mobile imaging products, and owns and operates a fleet of mobile MRI, CT, PET/CT, and Nuclear Medicine systems for interim, mobile and fixed site rental. The company explained that an unauthorized party had obtained protected health information (PHI) from patients between March 27 and April 24, 2023. The PHI compromised may have included names, dates of birth, dates of service, physician name and exam type.
Business Associate or Covered Entity?
DMS is a third-party vendor, under contract with health systems to provide imaging services. At first glance, DMS appears to be a HIPAA business associate, but it may be a healthcare provider or covered entity. One provider can contract with another provider to offer services.
If DMS bills and is reimbursed for or by patients who use its services, it’s a provider and a HIPAA covered entity. On the other hand, if the health systems bill patients for DMS services, DMS is a business associate. DMS does not have a notice of privacy practices posted on its website, a requirement of all covered entities, implying it is not a covered entity (or this could be an oversight).
It’s also possible that DMS is both a covered entity and a business associate. It doesn’t matter for the immediate situation as long as someone is managing the breach – investigating, notifying patients and governmental authorities, and taking corrective actions. Later, during an investigation or a lawsuit, the issue will be more important.
As of today, there is no HIPAA breach report on file at the Office for Civil Rights (OCR). HIPAA requires that breaches affecting 500 or more must be reported no later than 60 days after discovering the breach.
Health Systems Affected to Date
DMS’ original report did not identify the affected health care providers, but reports from the providers themselves have been published in the last two weeks. Avera issued a press release on September 6, and Sanford and Monument both revealed the breaches on September 15. All three noted that DMS will be notifying affected patients.
- Sanford Health notes on its website that it is the largest rural health system in the United States. Headquartered in Sioux Falls, Sanford serves more than one million patients and 201,000 health plan members across 250,000 square miles. Sanford Health patients being notified of the breach include 10,334 in North Dakota, 4,967 in Minnesota, 2,685 in South Dakota, 1,058 in Iowa and limited numbers in 36 other states.
- Avera is a regional health system with 315 locations in 100 communities in South Dakota, Iowa, Minnesota, Nebraska and North Dakota. Avera serves a population of 1 million across 72,000 square miles.
- Monument Health, headquartered in Rapid City, is a community-based health care system that offers care in 31 medical specialties and serves 12 communities across western South Dakota. Monument Health operates 5 hospitals and 40+ medical clinics and specialty centers.
Third-Party Vendor Risk Management
Whether DMS is a business associate or a covered entity is not central to the affected patients whose personal information was compromised. Knowing that their providers have strong cybersecurity protections in place matters. Knowing that they comply with HIPAA matters.
In either case, covered entities need to require third-party vendors do everything possible to maintain the privacy and security of patient data. Whether a business associate or a covered entity, they must comply with HIPAA – have policies and procedures, conduct workforce training, do an annual HIPAA Risk Analysis and follow a Risk Management plan year-round.