ESO Solutions, a healthcare software company, is notifying 2.7 million individuals of a data breach caused by a September 2023 ransomware attack against its systems. ESO Solutions provides software to hospitals, emergency medical services, fire departments, and state and federal agencies.
According to its breach notice, ESO detected a ransomware attack on September 28, 2023. The cyber attackers had accessed and encrypted some of ESO’s computer systems. ESO immediately took affected systems offline and engaged third-party forensics experts. By October 23, the investigation revealed that the hackers had acquired the personal and protected health information (PHI) of its healthcare customers’ patients.
“Please know that we have taken all reasonable steps to prevent the data from being further published or distributed and have notified and are working with federal law enforcement to investigate,” ESO stated.
The compromised PHI included names, birth dates, phone numbers, medical record numbers, injury type and date, treatment date, treatment type, and, in some cases, Social Security numbers.
ESO began mailing breach notification letters on December 12, 2023, to individuals affected by the breach. Although ESO stated it was unaware of any misuse of personal information to date, it offered impacted individuals complimentary credit monitoring and identity theft protection services as a precaution.
Business Associates Hold Massive Amounts of Patient Data
Ransomware attacks on third-party vendors like ESO Solutions are incredibly damaging. Third-party vendors are HIPAA business associates if they “create, receive, maintain, or transmit” PHI. Often, because a vendor like ESO Solutions has multiple customers, it has access to vast amounts of patient data for those customers. So, a data breach at a business associate affects many more individuals than a breach at a single covered entity, like a hospital or medical practice.
The ESO breach joins other massive business associate breaches in 2023. The largest happened to the MOVEit file transfer software program affecting dozens of healthcare organizations and millions of patients. Welltok, Inc., a patient communication services provider based in Denver, is a business associate that used the MOVEit software. The hack on Welltok through MOVEit affected almost 8.5 million patients; an attack on Delta Dental of California through the MOVEit software, affected 7.5 million.
Business Associate Due Diligence
When a ransomware attack happens at a business associate vendor, the covered entity customers are not necessarily off the hook.
The Office for Civil Rights (OCR) will investigate, and lawsuits will likely be filed. Although ESO Solutions is the main subject of the investigation, its covered entity customers may be drawn in. One of the questions in an investigation or lawsuit is whether the covered entities conducted due diligence with ESO Solutions. Did they confirm that ESO had HIPAA policies and had performed a HIPAA risk analysis? Did the parties enter a HIPAA business associate agreement?