Breach Is Latest in Long List of Complex Vendor Incidents(HealthInfoSec) o
December 20, 2022
An Oklahoma-based provider of administrative and technology services to healthcare organizations is notifying more than 271,000 individuals that their personal information may have been compromised in a hacking incident involving a third-party data storage vendor.
The breach is the latest in a long and growing list of major health data security incidents reported to regulators in 2022 involving vendors and sometimes very complicated third-party relationships.
Avem Health Partners – itself a third-party provider of IT services to healthcare entities – in a breach report filed on Dec. 13 to the state of Maine’s attorney general’s office – says that patient information stored on servers of one of its vendors was subject to unauthorized access in an external hacking incident in May.
Avem, in a breach notification statement posted on its website, says “it was notified of a data security incident experienced by 365 Data Centers, a data storage vendor used by a third-party service provider engaged by Avem.”
A spokesman for Norwalk, Connecticut-based 365 Data Centers tells Information Security Media Group that Avem is not a direct client.
“It has their attention but  is trying to figure out who the direct client is, as it could be one of their hosting partners clients,” he says.
Avem did not immediately respond to ISMG’s request for additional details and clarification about the breach, including how many of Avem’s healthcare entity clients were affected.
Affected Avem files contained patient information, including names, birthdates, Social Security numbers, driver’s license numbers, health insurance information, and diagnosis and treatment information.
Avem is offering affected individuals one year of complimentary identity and credit monitoring. The company also says it is examining its vendor relationships and evaluating vendors’ security measures.
As of Tuesday, the Avem incident did not yet appear on the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Business associates were at the center of nearly 40% of this year’s reported breaches, so far.
“It may be prudent to reconsider how regulated entities are framing their contractual protections and exposure with regard to vendors,” says regulatory attorney Brad Rostolsky of the law firm Reed Smith.
“More attention will need to be paid to business associate agreement indemnity provisions, and I suspect that there will be or should be a harder push to employ vendor security questionnaires and vendor audits.”
Several common themes have emerged in many of the major vendor breaches reported in 2022, says regulatory attorney Rachel Rose.
Among them is the importance of entities obtaining reasonable assurance through due diligence that a business associate has adequate technical, administrative and physical safeguards in place, she says.
That includes during a merger and acquisition. “Not conducting adequate due diligence [can] potentially lead to a breach and associated financial and reputation costs,” she says.
Looking ahead to the New Year, ransomware and phishing attacks will continue to represent critical areas of exposure to the healthcare industry, Rostolsky predicts.
“I would not be surprised if we start seeing more commercial lawsuits filed by covered entities against vendors that did not institute an adequate security program,” he says. “I could also see a push to include express terms in large vendor contracts that more easily enable a breach of contract claim for failing to implement certain security protections.”
Source: Read More