A July 2020 breach notification that details an email account take-over at medical billing provider Administrative Advantage revealed that there was a large range of personal health data accessible within an employee email account. The question of how it happened, and how many healthcare organizations were affected is not yet clear. But there are some important questions and issues to take note of in this story.
Why are small health clinics so vulnerable?
Often, small businesses do not have mature security programs that specify clear security requirements, let alone putting safeguards in place for how their suppliers secure data related to their business operations. In cases where suppliers are processing customer records such as billing, and especially sensitive data like healthcare information, the consequences can be severe.
When suppliers of health clinics do not have proper security measures in place, the first published data breach may be an indicator that many other organizations could be affected.
According to the HITECH Act, every business associate of HIPAA covered entities in the USA must have appropriate security safeguards in place. This is essential for ensuring proper protection of electronic health records.
In the case of this breach, there are indications that the breach may have exposed personal information of patients, including name, Social Security number, financial account information, driver’s license and/or state identification number, credit and/or debit card number, expiration date, and CVV number, date of birth, passport number, electronic signature information, username and password information, medical record number, Medicare number, Medicaid number, treatment location, diagnosis, health insurance information, lab results, and other medical treatment.