Another business associate has been hacked and the number of healthcare providers affected, and their patients, is growing.
So far, more than 330,000 individuals have been affected by the hack of an electronic health record (EHR) vendor that serves vision care providers across the country. Eye Care Leaders, based in Durham, North Carolina, offers practice management and health records software services for ophthalmologists, optometrists and opticians. The cloud-based system affected by the hack is myCare Integrity.
On its website, Eye Care Leaders states:
“Trusted by more than 9,000 ophthalmologists and optometrists, Eye Care Leaders is the No. 1 source for top-rated ophthalmology-specific EHR and Practice Management systems.”
Eye care providers have been subject to cybersecurity hacks over the past couple of years, affecting over six million individuals.
The following six eye care health care providers have reported breaches in recent weeks to either the HHS’ Office for Civil Rights (OCR) or the Maine attorney general’s office.
- Ad Astra Eye LLC, of Kansas reported to OCR on April 29 that 3,684 individuals had been affected;
- Frank Eye Center, P.A., of Kansas reported to OCR on April 29 that 26,333 individuals had been affected;
- Regional Eye Associates Inc. of West Virginia reported to OCR on April 28 that 194,035 individuals had been affected;
- Tennessee-based Summit Eye Associates reported to OCR on April 27 that nearly 54,000 individuals had been affected;
- Washington state-based King County Public Hospital District No. 2 – doing business as Evergreen Health – reported to OCR on April 22 that nearly 21,000 individuals had been affected;
- Ohio-based Allied Eye Physicians & Surgeons Inc. reported to the Maine attorney general’s office on April 27 that an “external hacking” incident had affected nearly 21,000 individuals.
Cyberattacks on business associates are especially damaging because business associates hold so much protected health information (PHI) from all of their customers. As this most recent attack was only discovered in March, the investigation is still ongoing and the number of individuals affected will likely grow.
EHR Systems are Vulnerable
In February, HHS’ Health Sector Cybersecurity Coordination Center issued a warning about cybersecurity threats involving EHRs and EMRs, noting that the such data compromises are profitable to cybercriminals for extortion, fraud, identity theft, data laundering and sale on the dark web.
So far in 2022, at least 12 major breaches affecting more than 355,800 individuals have been posted on the OCR breach reporting tool as involving EHRs, for all types of healthcare providers.
Business Associate Due Diligence
Although a business associate is separately liable for HIPAA compliance, healthcare providers that enter contracts with them are still responsible for evaluating whether their business associates are truly compliant. Business associate due diligence requires looking beneath the surface – asking questions and asking for proof of compliance.
Eye Care Leaders promotes itself as “HIPAA compliant” and notes that all of its EHR products have been certified under the HITECH Act’s HHS Office of the National Coordinator of Health IT’s health IT certification program. But a certification from the ONC is not the same as HIPAA compliance.
When a breach occurs at a business associate, the healthcare providers who engaged them are not necessarily off the hook. When OCR investigates the business associate breach, they will also ask questions of the providers the business associate served. Before entering a business associate agreement, providers need to verify, for example, that business associates perform HIPAA Risk Analysis at least annually, that they have HIPAA policies and procedures in place.
Evaluate your business associates (or subcontractor BAs) and ask questions. If you need help understanding third party vendor (and business associate) risk management, we can help.