Business Associate of a Covered Entity Exposed 12 Million Patient Records

June 26, 2019

In 2019 there have been 173 confirmed data breaches reported on the OCR breach portal. This time last year there were only 68 listed. So far, this has not been a good year for patient related security incidents and after this latest large-scale breach it certainly won’t help the numbers. Once this latest security breach gets included on the OCR breach portal it will be adding another 11.9 million records exposed. This breach is said to have directly involved a third party and the details exposed included: financial data, social security numbers, portions of medical information, and lab test results.

The data breach itself occurred at American Medical Collection Agency (AMCA). AMCA is the business associate of the covered entity Quest Diagnostics. Like most data breaches, it all started with the notification of an “unauthorized user” accessing information that they should not have been able to access. AMCA is further investigating the issue to determine the entry point that allowed the user to gain access as well as the exact details of what was exposed. Most breach numbers are rounding up to the highest potential possibility of exposure until proven otherwise, which, in most cases, can be extremely difficult to assess.

A breach of roughly 12 million seems quite substantial especially because the current largest breach in 2019 had only totaled to 1.6 million unique records.

PROTECTING YOURSELF AND YOUR BUSINESS PARTNERS

Offsetting services to a third party may seem financially appropriate and, in some cases, is your only choice, but it comes with risk. Sharing data, especially data involving patient information, should be approached with extreme caution. Allowing a business associate to access, view, or maintain patient information on behalf of a covered entity requires a contract to be in place called a business associate agreement (HHS Guidance on Business Associates). This document should outline the expectations and requirements when exposing patient information outside of your practice. This alone will never fully protect patient information, but it is a start. Many times, this is where most covered entities stop – a business associate agreement will be signed, and no further discussion occurs. This, of course, is not enough; additional steps should be taken to ensure that those with which you are sharing patient information are in-line with your security program and privacy expectations. An easy approach to evaluating your business partners is to simply have a conversation with them. Start off by creating a questionnaire to gauge how important security is to them and note what controls and documented procedures are in place or lacking. Record their responses to ensure that your business associates meet your expectations of securing and protecting your patients’ information. This will allow you to not only have a better understanding of your potential business partners current security and privacy situation, but will also allow you to have documentation to demonstrate that you have taken steps to evaluate potential access to patient information prior to providing it. Taking these steps should greatly increase your chances of preventing a breach within your organization.