Young Consulting, a significant healthcare vendor and HIPAA business associate was hit by a ransomware attack, exposing the personal information of nearly 1 million individuals. Based in Atlanta, the company provides software solutions for the marketing, underwriting, and administration of medical stop loss insurance for carriers, brokers, and third-party administrators.

According to the breach notice on its website, Young Consulting experienced technical difficulties on its computer network on April 13, 2024. An investigation revealed that an unauthorized actor accessed the company’s network between April 10 and April 13 and downloaded copies of files.

The protected health information (PHI) exposed in the breach varied by individual but may include a combination of individuals’ names, Social Security numbers, dates of birth, and insurance policy/claim information. According to the software maker, the compromised data belongs to health insurer Blue Shield of California and “other covered entities.” Blue Shield of California also notified patients of the breach and directed affected patients to Young Consulting’s breach notice for more details.

Young Consulting has begun notifying affected individuals of the breach and is offering complimentary credit monitoring and identity theft restoration services.

BlackSuit Ransomware Group

Although Young Consulting did not mention ransomware in its notice, the BlackSuit ransomware group has claimed responsibility for the attack. The BlackSuit group has been known to target healthcare.

The HHS Health Sector Cybersecurity Coordination Center (HC3) issued an alert in March 2023, warning that the group “will likely be a credible threat” to the healthcare sector. That same alert has been updated four times, most recently on August 27, 2024.

The Cybersecurity and Infrastructure Security Agency (CISA) issued the same warnings, noting that BlackSuit is a rebrand of the Royal ransomware group. This variant was also used against the healthcare sector in 2022 and 2023. CISA’s August 2024 updated alert notes that “BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities. ”

CISA encourages companies in the healthcare sector to:

1. Prioritize remediating known exploited vulnerabilities.
2. Train users to recognize and report phishing attempts.
3. Enable and enforce multifactor authentication.

For specific technical guidance, refer to the CISA Alert.

HIPAA Business Associates are a Weak Link in Healthcare Cybersecurity

One covered entity maintains only its patients’ protected health information (PHI), but one business associate touches the PHI of individuals among all the business associate’s customers. Therefore, business associate breaches are usually much more significant and affect many more people simultaneously. There have been many examples in recent years, but two from this year are WebTPA, affecting 2.4 million, and Change Healthcare, affecting 1 in 3 Americans, with the final tally yet to be known.

Both the covered entity and the business associate are responsible for HIPAA compliance. Neither can offload the responsibility for maintaining the privacy and security of patient information to the other party. It is a shared responsibility, with the terms of how it’s to be accomplished outlined in the business associate agreement between the parties.

Conduct Due Diligence with Business Associates

Business associates need their own HIPAA policies and procedures and need to do a Risk Analysis at least once a year, just as covered entities must do. Covered entities that engage third-party vendors that touch PHI must conduct due diligence with their business associates. In turn, business associates that engage subcontractor business associates must do the same with their subcontractors.

Fight Ransomware with the HIPAA Security Rule

Robust HIPAA compliance is the best defense against cybersecurity threats in healthcare. HIPAA requires all covered entities and business associates to have administrative, physical, and technical safeguards to secure patient data.

Do an annual Risk Analysis and use the Security Rule Checklist.  Use CISA’s StopRansomware guidance and review the latest guidance from NIST and HHS.

If you need guidance about where to start or how to improve your defenses against ransomware, call The HIPAA E-Tool^®.