October 2, 2023

If you have recently noticed a surge in notifications regarding healthcare data breaches, you are not alone. It is not just healthcare institutions at risk, but also third-party vendors who are part of the intricate web that makes the healthcare system function. From revenue cycle management to patient records, many healthcare functions are outsourced to external vendors, creating numerous points of vulnerability. This week’s data breach roundup proves, once again, that third-party data breaches continue to dominate breach notifications, affecting a multitude of healthcare entities.

The MOVEit Hack: A Cascade of Fallout

Let’s consider the case of The Harris Center for Mental Health and IDD. The organization notified 599,367 individuals of a breach emanating from the MOVEit Transfer hack. MOVEit, a third-party service provider, issued a patch on the day it disclosed its vulnerability, but the damage was already done. The Harris Center doesn’t use MOVEit directly but is connected through another vendor.

Names, addresses, Social Security numbers, and other sensitive information were compromised, highlighting how interconnected and vulnerable the healthcare system is when even a single third-party vendor suffers a data breach.

Data Media Associates (DMA) Alert

DMA, another third-party service provider specializing in revenue cycle management, also reported a breach following the MOVEit hack. The company was quick to respond to the Cybersecurity and Infrastructure Security Agency’s (CISA) alert but found that unauthorized parties might have acquired certain data. DMA has since taken remediation measures, but the incident serves as a lesson for the healthcare industry to vet their third-party vendors more rigorously.

Proactive Steps for Healthcare Entities

If you are a healthcare provider or a healthcare compliance attorney, the time for complacency is over. Here are some steps to consider:

1. Vet Third-Party Vendors: Understand what kind of data the third-party vendors are handling and what measures they are taking for security.
2. Regular Audits: Periodically review the data security measures of the third-party vendors you are associated with.
3. Incident Response Plan: Have a contingency plan in place for when a breach occurs, detailing how the information will be secured and how patients will be notified.
4. Liability Clauses: Make sure to include clauses in contracts with third-party vendors that outline responsibilities and liabilities in case of data breaches.
5. Collaboration: Consider sharing best practices and key learnings with industry peers, possibly via health information organizations (HIOs) or industry-specific forums.

Conclusion

Third-party data breaches are continuing to compromise healthcare data at an alarming rate. Healthcare entities, attorneys, and compliance officers need to scrutinize their external partnerships just as diligently as their internal systems. Failing to do so invites not only a breach of data but a breach of trust, the backbone of healthcare.