Chilivis Grubman recently discussed a data breach by OneTouchPoint, Inc., a business associate (“BA”) of several healthcare companies. One healthcare company (Aetna ACE) reported that the protected health information of 326,278 plan members was exposed because of the cyber-incident that OneTouchPoint experienced. CG attorneys cautioned covered entities to consider, understand, and verify the security efforts of BAs, as BAs remain susceptible to cyber incidents like healthcare providers and plans.
Around the same time that Aetna reported the data breach suffered by its BA, another company that serves as a BA for several health companies provided notice that it too was a victim of a cyber-incident. Practice Resources, LLC (“PRL”) notified the California Attorney General’s Office that it suffered a cyber-incident, specifically a ransomware attack. PRL provides professional services, such as billing services, remote scribing services, payroll services, provider services, practice consulting, and other services.
PRL’s HHS notice was on behalf of twenty-eight covered entities and affected 942,138 patients. PRL did not list Aetna as an impacted covered entity and there is no indication that the cyber-incident affecting Aetna’s business associate is related to PRL cyber-incident. PRL indicated that the breach occurred on a network server and resulted in an unauthorized party gaining access to patient names, home addresses, dates of treatment, health plan numbers, and medical record numbers. The affected covered entities include hospitals and private practices. The Salvation Army is also listed as an affected party. There is no information on whether PRL paid a ransom. There is also no information concerning the identities of the cyber attackers.
Unfortunately, PRL is another example of a BA suffering a cyber-incident that potentially exposes sensitive and protected data of unsuspecting individuals. These increasingly common cyber incidents also affect the covered entities, who may have to expend resources to ensure compliance with state and federal regulations. Organizational leadership – at every level – should appreciate the seriousness and frequency of cyber-incidents. These incidents affect entities of all sizes and types. Proper preparation, training, leadership buy-in, and resources (internal and external) are good components of reducing the impact of a cyber-incident. With the frequency of cyber-incidents, it may be best to assume it will eventually impact every company.
The attorneys at Chilivis Grubman represent clients of all sizes in connection with data breaches and cybersecurity matters, including regulatory obligations and litigation arising therefrom. If you need assistance with such a matter, please contact us today.