Ben Sutherly reports a follow-up on the Community Mercy Health Partners breach reported previously on this blog. Sutherly reports that the actual number of patients potentially affected was far less than the 113,000 reported to HHS because of duplication.
And as a result of the breach, Community Mercy no longer contracts with the vendor, he said.
The vendor was not named. Read more on Columbus Dispatch.
This is the second time this week I’ve read of a HIPAA-covered entity cancelling its contract with a vendor responsible for a breach. Earlier this week, Radiology Regional Center indicated that it was no longer using Lee County Solid Waste Division as a vendor after an incident in which almost half a million patient records headed for incineration fell out of the vendor’s truck.
Both of these incidents involving paper records should remind everyone of the need to monitor vendors and business associates for compliance with any contract when it comes to security, because regardless of who HHS or a state might hold responsible, the patients will hold the covered entity responsible and such incidents may diminish trust or confidence in the covered entity.
As an aside, I wonder if vendors involved in paper records are more likely to lose contracts following a breach than vendors involved in electronic records. As a society, are we more inclined to see vendors involved in the latter as “victims” while those involved in the former as just “negligent?”