DMS Technologies Health Data Breach Grows

One cyber attack on a mobile imaging provider has caused healthcare data breaches for at least three rural health systems that use its services. The largest breach so far happened to Sanford Health (21,211 patients affected); also hit were Avera (1,500 patients) and Monument Health (2,500 patients). All three are headquartered in South Dakota. There may be additional providers that haven’t come forward yet.

DMS Health Technologies first reported a security incident on June 16, 2023. DMS provides mobile imaging products, and owns and operates a fleet of mobile MRI, CT, PET/CT, and Nuclear Medicine systems for interim, mobile and fixed site rental. The company explained that an unauthorized party had obtained protected health information (PHI) from patients between March 27 and April 24, 2023. The PHI compromised may have included names, dates of birth, dates of service, physician name and exam type.

Business Associate or Covered Entity?

DMS is a third-party vendor, under contract with health systems to provide imaging services. At first glance, DMS appears to be a HIPAA business associate, but it may be a healthcare provider or covered entity. One provider can contract with another provider to offer services.

If DMS bills and is reimbursed for or by patients who use its services, it’s a provider and a HIPAA covered entity. On the other hand, if the health systems bill patients for DMS services, DMS is a business associate. DMS does not have a notice of privacy practices posted on its website, a requirement of all covered entities, implying it is not a covered entity (or this could be an oversight).

It’s also possible that DMS is both a covered entity and a business associate. It doesn’t matter for the immediate situation as long as someone is managing the breach – investigating, notifying patients and governmental authorities, and taking corrective actions. Later, during an investigation or a lawsuit, the issue will be more important.

As of today, there is no HIPAA breach report on file at the Office for Civil Rights (OCR). HIPAA requires that breaches affecting 500 or more must be reported no later than 60 days after discovering the breach.

Health Systems Affected to Date

DMS’ original report did not identify the affected health care providers, but reports from the providers themselves have been published in the last two weeks. Avera issued a press release on September 6, and Sanford and Monument both revealed the breaches on September 15. All three noted that DMS will be notifying affected patients.

  • Sanford Health notes on its website that it is the largest rural health system in the United States. Headquartered in Sioux Falls, Sanford serves more than one million patients and 201,000 health plan members across 250,000 square miles. Sanford Health patients being notified of the breach include 10,334 in North Dakota, 4,967 in Minnesota, 2,685 in South Dakota, 1,058 in Iowa and limited numbers in 36 other states.
  • Avera is a regional health system with 315 locations in 100 communities in South Dakota, Iowa, Minnesota, Nebraska and North Dakota. Avera serves a population of 1 million across 72,000 square miles.
  • Monument Health, headquartered in Rapid City, is a community-based health care system that offers care in 31 medical specialties and serves 12 communities across western South Dakota. Monument Health operates 5 hospitals and 40+ medical clinics and specialty centers.

Third-Party Vendor Risk Management

Whether DMS is a business associate or a covered entity is not central to the affected patients whose personal information was compromised. Knowing that their providers have strong cybersecurity protections in place matters. Knowing that they comply with HIPAA matters.

In either case, covered entities need to require third-party vendors do everything possible to maintain the privacy and security of patient data. Whether a business associate or a covered entity, they must comply with HIPAA – have policies and procedures, conduct workforce training, do an annual HIPAA Risk Analysis and follow a Risk Management plan year-round.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms & Conditions | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124