3rd Party Risk Management , Breach Notification , Governance & Risk Management
More Health Data Breaches Tied to Vendor IncidentsHacker Attacks Against Accellion, Other Vendors Expose Patient Data
The list of healthcare organizations affected by recent vendor security incidents - including the recent attack against Accellion - continues to grow.
For example, the supermarket and pharmacy chain Kroger reports that more than 368,000 individuals' protected health information was affected by the Accellion hacking incident, according to the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
In a recent statement, Kroger says Accellion notified the company that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion’s file transfer service.
"Accellion software was used for secure file transfers of certain HR data and pharmacy and clinic customer information," Kroger says.
Several other healthcare sector entities have also recently issued breach notification statements acknowledging they've been affected by the Accellion incident.
Those include Springfield, Illinois-based Southern Illinois University School of Medicine and Trillium Community Health Plan based in Springfield, Oregon.
Canada-based Nova Scotia Health Employees’ Pension Plan also issued a recent statement about being a victim of the Accellion incident.
In another recent vendor-related breach, more than 207,000 patients, providers and employees of Tacoma, Washington-based MultiCare Health System are receiving notices that their personal information was exposed in a ransomware attack involving a business associate's vendor.
In that incident, Woodcreek Provider Services, which provides medical practice management services to MultiCare, reports that it was affected by a December ransomware attack on cloud technology services vendor Netgain Technology.
In a Tuesday statement, Woodcreek says the attackers accessed a wide range of personal and protected health information of Woodcreek Provider Services employees, providers, applicants, contractors and patients.
The recent data breaches involving vendors join a long list of other third-party breaches on the HHS tally.
For instance, hacking incidents in 2019 and 2020 involving debt collector firm American Medical Collection Agency and cloud-based fundraising software vendor Blackbaud have racked up dozens of health data breach reports affecting tens of millions of individuals.
In light of vendor breaches, healthcare organizations need to take extra precautions, privacy and security experts say.
"Healthcare organizations that hire these firms should take prompt action to protect themselves from the fallout, beginning with shoring up their vendor relationships," says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
"The types of incidents that involve vendors providing data management services for healthcare business operations are the scariest of incidents because of the breadth and sheer volume of the data they could be handling."
The Accellion cyberattack sets an example of why healthcare entities should make diligent vendor security risk management a priority, Holtzman adds.
"First, prepare for the eventuality that one of your vendors is going to suffer a cybersecurity incident. There are steps to be able to both respond and recover from an incident that impacts the data that information technology service providers create or maintain on our behalf."
Keith Fricke, a principal consultant at tw-Security, suggests that healthcare organizations diligently assess the risks posed by vendors providing remotely hosted services or products.
"Organizations should have policies and contractual language addressing vendors accessing, storing, processing or transmitting sensitive information to or from overseas locations," he notes. "Asking the vendor if they subcontract any services or labor is important."
Fricke says healthcare organizations should demand to see all vendors' security and privacy policies.
Entities should watch for certain "red flags" indicating that the vendor likely has an immature security program, he says. Those include policies that were put together in response to a request to review policies; policies with no metadata, such as policy author, policy approver, last review date, or revision number; and policies missing significant content.
"Criminals continue seeking out vectors of attack that provide them with unauthorized access to networks and data," Fricke says. That's why it's more important than ever to scrutinize vendors' security risks.