Regular readers of the blog won’t be surprised to hear that there has been another data breach, this time involving a business associate in charge of storing medical records on behalf of health care providers and insurers. AltaMed Health Services (AltaMed) and California Physicians Services (doing business as Blue Shield of California (BSC)) recently received notice from their business associate, Sharecare Health Data Services (SHDS), of a hack of SHDS’s network that stores patients’ medical records. The hacker was able to acquire and/or access patients’ protected health information (PHI) contained in the medical records kept by SHDS on behalf of AltaMed and BSC. The breach of AltaMed’s data was discovered on June 22, 2018, and the breach for BSC was discovered a few days later on June 26, 2018. Upon investigation, however, officials determined that both breaches went undetected for over a month and actually began on May 21, 2018. SHDS did not notify AltaMed or BSC of the breach until December 31, 2018.

The exact number of affected individuals is not yet certain but is at least into the thousands. In AltaMed’s notification of the data breach to California’s Attorney General on February 15, 2019, AltaMed reported that it had already notified 5,767 California residents of the breach. In addition, BSC stated in its press release that the breach affected about 18,000 of its members.

BSC also notified California’s Attorney General as required by state law and included a template notice letter that it sent to affected BSC members. The letter sets forth the type of compromised information, including a patient’s “name, address, date of birth, Blue Shield subscriber number, name and address of a clinic or facility that provided your health services and in some instances the name of your health care provider, your medical record number and internal SHDS processing notes.” BSC stated in the letter that it took “immediate steps” to prevent further breach after discovery on June 26, 2018. SHDS hired Mandiant, a global forensic firm, to assist in the investigation of this breach.

As we’ve previously discussed on the blog, covered entities need to stay vigilant not only of their own compliance with HIPAA’s privacy and security rules but also that of their vendors who may have access to PHI. Even though the breach occurred at the business associate and not the covered entity, the covered entity is still responsible for providing notice to affected individuals, which often requires significant money and resources. Breaches caused by business associates can lead to costly investigation, notification, and mitigation efforts for covered entities. Therefore, covered entities should work to ensure that:

  • They have business associate agreements in place with all vendors that handle PHI;
  • They have performed due diligence on their vendors;
  • They have included contractual protections in their underlying services agreements and business associate agreements with business associates, including indemnification provisions; and
  • They have reviewed their cyberliability insurance coverage and understand their policies' coverage of breaches by vendors.