Chris Vickery, who discovered the Systema Software leak, informs DataBreaches.net that he filed a complaint with HHS/OCR about the leak.
Of note, and in response to an inquiry he sent on September 17 asking about the status of his complaint, OCR responded today:
We are aware of this case and are actively working on it. Thank you for your inquiry.
As noted previously on this site, workers compensation carriers are generally not covered by HIPAA, but state agencies or entities may be HIPAA-covered entities. When Vickery investigated, he found a copy of Kansas’s contract with an attached Business Associates Agreement for Systema Software. The contract states, in part:
HIPAA Confidentiality:
Per the Health Insurance Portability andAccountability Act (1996)
(HIPAA), the agency is a covered entity under the act and therefore
Contractor is not permitted to use or disclose health informationin
ways that the agency could not. This protection continues as long as
the data is in the hands of the Contractor.[…]
Subject to the limitation of liability in Section 3.19 above and the BAA, Contractor agrees to hold the SSIF harmless from any HIPAA violations, indemnify the SSIF and pay fines and mitigation costs which directly or indirectly result from the Contractor’s failure to comply with the HIPAA.
So Systema Software might be on the hook for costs associated with this leak – at least for the part relating to the Kansas SSIF database. And both they and Kansas may have questions from OCR to answer.
To date, none of the involved agencies or Systema appear to have submitted a breach report to HHS or the California Attorney General’s Office – or at least, there’s nothing up on either public breach tool yet.