Billing Vendor Breach Affects 275,000Not Yet Clear How Many of Firm's Healthcare Clients Were Affected
Some 275,000 individuals served by a variety of healthcare providers and health plans had data exposed as a result of a breach at Houston-based billing and debt collection vendor Benefit Recovery Specialists Inc.
The BRSI incident appears to be somewhat similar to a breach about a year ago affecting another medical debt collection company, American Medical Collection Agency. That incident impacted more than two dozen of the firm's clients and more than 20 million individuals, according to the HHS website.
"What is disturbing is that we are beginning to see a trend in the medical debt collection services that may reflect inadequate cybersecurity safeguards in the sector," says privacy attorney David Holtzman, principal of consulting firm HITprivacy LLC.
Holtzman suggests that healthcare organizations carefully review whether they are BRSI customers. "It may not be readily apparent because many business units contract or maintain relationships with service providers that may not be entirely known throughout the organization," he points out.
Organizations that are BRSI clients will need to "initiate their incident response plan, which will include an inventory of the patients whose PHI was maintained by the vendor on their behalf. Those steps should begin now," he stresses.
Added to the Tally
The BRSI breach was added Monday to the Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website.
Also commonly called the "wall of shame," the website lists health data breaches impacting 500 or more individuals.
The incident is the fifth business associate breach among the top 10 added to the tally so far this year (see: Health Data Breach Trends: Mid-Year Assessment).
Notification Offer Details
In a June 26 breach notification statement posted on BRSI's website, the company says that on April 30, it discovered a malware incident affecting certain company systems.
"We immediately began an internal investigation and took the affected systems offline to remove the malware and ensure the security of the BRSI environment," the statement says. "We also began working with third-party cybersecurity specialists to determine the full scope and nature of the event and notified federal law enforcement."
The investigation confirmed that an unauthorized actor accessed BRSI's systems using employee credentials and deployed malware within BRSI's environment, the statement says.
"The investigation further revealed that certain BRSI customer files containing personal information may have been accessed and/or acquired by the unknown actor between April 20 and April 30, 2020," according to the statement.
Information that may have been exposed includes name, date of birth, date of service, provider name, policy identification number, procedure code, and/or diagnosis code, BRSI says. For a small number of individuals, Social Security number may also have been exposed the statement adds.
"The types of incidents that involve vendors providing debt collection services to a broad swath of leading healthcare organizations really are the scariest of incidents because of the breadth and sheer volume of the data they could be handling."
—David Holtzman, HITprivacy LLC
"Upon learning of the incident, we began working with third-party specialists to assess and develop a response plan and secure the BRSI environment," the company says.
BRSI did not immediately respond to Information Security Media Group's request for additional details, including how many client organizations were affected by the breach and whether the malware was ransomware.
Third-Party Risk Management
The BRSI breach, and the similar AMCA breach last year, "should be motivating healthcare organizations to take prompt action to protect themselves from the fallout, beginning with shoring up their vendor relationships," Holtzman says.
"The types of incidents that involve vendors providing debt collection services to a broad swath of leading healthcare organizations really are the scariest of incidents because of the breadth and sheer volume of the data they could be handling," he notes.
"We should take this as an opportunity to prepare for the eventuality that one of our vendors is going to suffer a cybersecurity incident. And there are steps we should take to be able to both respond and recover from an incident that impacts the data that they create or maintain on our behalf."
The description of the incident provided by BRSI in its breach notification statement - including the company mentioning that the perpetrator used employee credentials - points to the possibility that BRSI's information system may have been compromised through a phishing attack, Holtzman says.
"It is crucial that organizations educate and make their workforce members aware of how to recognize and respond to suspicious emails and to recognize when a specific communication is too risky to open," he says. "Organizations must have technology in place for a system-activity audit and review taking place in their information system area."
Monitoring Business Associates
The BRSI incident also shines a spotlight - yet again - on the privacy and security risks posed by business associates.
"This should highlight the need to go beyond just having BAs sign a BA agreement, then not doing any type of oversight or regular follow-up to make sure that they have actually implemented actions, processes, procedures and tools necessary to fulfill what the BAA has required them to do," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"When a BA, or any vendor of B-to-B services in any industry, does not actually do what they have contractually obligated themselves to do, then they will become a huge security vulnerability. And then breaches and other types of security incidents will occur."
Herold also points out that HHS "has said many times in many ways throughout the past two decades that covered entities need to take actions and 'obtain reasonable assurances' that the BAs are actually following those [security] requirements during the course of their business operations."