Klaussner Furniture Industries, Inc., a privately-owned furniture manufacturer in Asheboro, North Carolina, recently reported that it discovered a cyberattack that occurred earlier this year. As part of its reporting, Klaussner provided a breach report to the U.S. Department of Health and Human Services Office of Civil Rights (OCR). Although Klaussner’s business operations are clearly outside of the healthcare industry, it still determined the need to follow HIPAA’s notice and reporting requirements because it maintained information protected under HIPAA through its sponsorship of a self-funded health benefit plan for its employees.
Upon discovery of the cyberattack, Klaussner took immediate action, and, through its internal investigation, the company learned that a hacker “gained access to two computers on its networks that contained certain personal information about a limited number of current or former employees, and some of their dependents.” This cyberattack affected approximately 9,300 people whose various types of private information was exposed, possibly including names, addresses, Social Security numbers, financial account information, dates of birth, health information, and/or health benefit election information.
The HIPAA Breach Notification Rule generally requires covered entities and their business associates to provide notice to individuals when their protected health information (PHI) is exposed through a breach. The U.S. Federal Trade Commission and the HITECH Act also provide similar notice requirements for vendors of personal health records and related third party providers. Moreover, various states have laws requiring notice and other follow-up action.
Klaussner’s data breach highlights the challenges faced by non-healthcare industry companies when having to determine whether a breach incident is subject to HIPAA’s reporting requirements, especially when such companies sponsor self-funded, self-insured health benefit plans and therefore maintain PHI in-house. Companies that sponsor such health benefit plans should implement administrative, technical, and physical safeguards to better protect PHI in accordance with HIPAA’s requirements, even if the company is not a covered entity under HIPAA.