3rd Party Risk Management , Breach Notification , Governance & Risk Management
Vendor-Related PHI Breach Reports Keep Rolling In
Clients of Health Insurer, Consultancy Among Those AffectedSeveral recent health data breaches involving vendors - including more reports related to the Accellion file transfer appliance hack - show that managing vendor security risks remains a difficult ongoing challenge in the healthcare sector.
See Also: Gartner Market Guide for DFIR Retainer Services
For example, Indiana-based Renaissance Life & Health Insurance Co. says a vendor breach affected their customers' protected health information.
Meanwhile, professional consulting services firm Guidehouse is notifying an undisclosed number of its healthcare clients and their patients that data was exposed as a result of zero-day attacks on Accellion's legacy File Transfer Appliance.
Renaissance's SAS Breach
Renaissance Life & Health Insurance Co. says one of its vendors, Secure Administrative Solutions, reported a security incident affecting the privacy of an undisclosed number of the insurers' policyholders.
The breach appears to have involved a ransomware incident, and the vendor may have paid a ransom, the insurer says in its notification.
"The details Renaissance received from SAS indicated that information related to certain Renaissance policyholders was present on the impacted SAS systems at the time of the incident and subject to unauthorized acquisition, as a result," the insurer says.
"SAS reported that unauthorized access to its systems occurred between March 15 and April 15, and that it notified the FBI of this incident on May 27," Renaissance says. "Renaissance understands that the exfiltrated information has been destroyed by the unauthorized actor, but that the identity of the unauthorized actor is unknown."
SAS Notification
A sample breach notification letter SAS submitted to the state of Montana's attorney general's office also suggests that the incident involved ransomware.
"On April 15, we experienced unusual activity on our IT systems and were unable to access certain portions of the systems across our network," SAS wrote. "On May 25 we learned that a limited amount of your information may have been taken from our environment during the incident."
SAS adds that it "restored servers from clean backups, enforced a system-wide global password reset, implemented more strict password complexity requirements, and provided all users with new personal computers and training on updated network security protocols and procedures."
Affected PHI
Renaissance in its notification says information that may have been exposed includes names, addresses, dates of birth, health insurance policy numbers and other health insurance information, such as policy type.
Although the insurer says it was informed by its vendor that no policyholders' Social Security numbers or financial information had been compromised in the incident, the vendor's sample notification letter indicates that affected data includes names, Social Security numbers and agent numbers.
Neither Renaissance nor SAS immediately responded to Information Security Media Group's request for additional details about the incident.
As of Monday, the Renaissance breach was not posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Worrisome Breach
Regulatory attorney Paul Hales of the Hales Law Group notes that SAS "is a special type of HIPAA business associate" because it provides third-party administrator services to Employee Retirement Income Security Act health plans.
"TPAs perform some or all of a covered entity health plan’s administrative activities including uses and disclosures of PHI. … This demands an extra level of due diligence that can be overlooked," he says.
"Employer-sponsored health plans may assume someone like their broker or health underwriter has done necessary HIPAA due diligence," he notes. "But the health plan sponsor cannot ignore its fiduciary responsibility to make sure. Theft of electronic PHI is the deadliest HIPAA breach. One breach can affect a huge number of individuals and ePHI is so easily transmitted."
Commenting on Renaissance noting that the vendor had received a promise that stolen data had been deleted, Hales says: "A criminal’s promise that it destroyed stolen ePHI is worthless. You have to assume the information is for sale on the dark web now or lurking as a ‘ticking time bomb'."
Guidehouse Incident
In the Guidehouse incident, the company says healthcare clients affected by the Accellion breach are Community Memorial Health System in Ventura, California, and Cayuga Medical Center in Ithaca, New York.
Guidehouse, in a sample notification letter submitted to the California attorney general's office, says it determined that the breach exposed patient names, dates of birth, member IDs, addresses and certain medical information.
Guidehouse clients in other industries affected by the Accellion hack include investment banking giant Morgan Stanley (see: Add Morgan Stanley to List of Accellion FTA Hack Victims).
In a recent letter to the New Hampshire attorney general's office, Morgan Stanley revealed that it had sustained a data breach after an attacker compromised Guidehouse, which provides stock plan management services to the investment bank's employees. Guidehouse used the vulnerable Accellion FTA, Morgan Stanley noted.
Although Guidehouse was hacked in January, the bank says it was notified of the breach in May because the vendor did not immediately detect the incident.
Many organizations worldwide have been affected by the zero-day attack on vulnerable Accellion FTA installations.
Grocery and pharmacy chain Kroger recently settled a class action lawsuit stemming from a breach tied to FTA. Kroger acknowledged it paid a ransom to the ransomware group Clop in exchange for the return of data stolen as a result of the hack of its FTA system.