Third-party incidents continue to put patient ePHI at risk: Protenus

Posted on by Dissent

Protenus, Inc. has released its Breach Barometer for January. As they report, 2017 is starting out where 2016 left off: we are seeing an average of one breach per day involving health data. Protenus’s report, based on 31 incidents, reported that there were 388,307 breached records for the 26 incidents for which they had numbers. The single largest incident was a third-party incident involving 220,000 patient records.

In addition to the 31 incidents that Protenus analyzed, DataBreaches.net subsequently found 4 additional incidents that were disclosed in January but had not been posted to HHS’s breach tool in time for inclusion in Protenus’s analysis.  An updated analysis using 35 incidents, with numbers for 28 of them, yielded 465,007 breached records for incidents disclosed during January.

Of note, Protenus found that third-party breaches continue to account for a significant proportion of breached records. While (only) 19% of the incidents in their analysis reported third-party involvement (although there may have been more), 82% of the breached records for the month were associated with third-party breaches. When the data were re-analyzed after adding the late-comers, DataBreaches.net found that 23% of the incidents reported third-party involvement, and third-party incidents accounted for 341,575 records, or 73% of all breached records for the month.

Third-Party Incidents: More Breached Records, Longer Delays to Notification

In addition to accounting for the majority of breached records, third-party incidents also contributed significantly to delayed notifications. Two incidents in particular are noteworthy:

The Summit Reinsurance Services breach, first reported on this site in December, raises questions that have yet to be answered about notification delays. In March 2016, the reinsurer’s server was reportedly first accessed, but the access was not detected until August 8, when they discovered a ransomware attack. At the end of November, we learned of the breach when the Louisiana Health Cooperative disclosed that 8,000 of its members had been affected. They had been notified by Summit on October 24.  Other clients – and the clients’ patients – did not get notified until later. In addition to the Louisiana Health Cooperative, other clients whom we know to have been affected include Black Hawk College and 1,000 of their employees (and possibly dependents), sixteen current and former Highmark Blue Cross Blue Shield of Delaware self-insured customers and approximately 19,000 of their members, PrimeWest Health and 2,441 of their members, WellCare Health Plans, Inc., and 24,809 of its members, and Tufts Health Public Plans (formerly Network Health) and an as-yet-undisclosed number of their members.

Whether we will find out about other clients having been affected remains to be seen, but that’s more than 55,000 people affected by a ransomware attack discovered on August 8 who did not get notified until 4-5 months later.

Given that HHS recently settled charges against Presence Health for, among other issues, late notification, one might wonder whether there could be more penalties for lateness coming down the road as a result of this case.

But what constitutes “late notification” in this case? Summit Reinsurance Services is not a business associate under HIPAA. As Matt Fisher kindly pointed out to me on Twitter, HIPAA has an exemption for reinsurers. So when did the notification clock start? Applying  Jeff Drummond’s analysis of the regulations, it likely started when the reinsurer first notified the clients. The clients appear to have notified their members in a timely fashion (60 days or less), so they would appear to have complied with HIPAA for patient or member notification (although I do not see reports from all of the entities on HHS’s public breach tool).

But how is it that the reinsurer faces no consequences if it took from August 8, when they discovered the ransomware attack, until Dec. 2 (when they first notified Tufts) and mid-January when they first notified members? Could they face consequences under state laws? Perhaps. As Tuft’s external counsel reasoned, it was Summit’s obligation to notify Tuft’s members under New Hampshire law. Could it also be the case in other states, and if so, will any of them start any investigation or enforcement action as to why it took so long to notify people?

Summit Reinsurance wasn’t the only example of long delays in the January data. Eight out of 35 incidents had gaps of more than 200 days between breach and notification. In one case, it took 1,552 days for the entity to discover the breach, and then another 70 days post-discovery to notify individuals. And in yet another case, we do not know when a breach first occurred, but an entity that  claimed it had first discovered a breach on December 23, 2015 did not notify individuals until January 18, 2017. The company,  CoPilot Provider Support Services, claims that it is not a business associate or covered entity under HIPAA  but “out of an abundance of caution,” has communicated with OCR and has “otherwise taken all necessary compliance steps pursuant to HIPAA. ”

Because CoPilot’s service is related to insurance reimbursement eligibility for injections of particular medications, and because physicians input their patients’ protected health information into CoPilot’s portal and CoPilot then stores the data, I would think that the firm is a business associate under HIPAA, but then, I am not a lawyer.

Why the delays in notification?

CoPilot ignored multiple inquiries by this site and at least one other outlet as to why notification took more than one year from the date they claimed to have discovered the breach. Nor did they offer any explanation of the delay in their notifications to states, either. Noting that they were investigating a possible employee breach and that law enforcement was involved does not stop the clock unless law enforcement specifically asked them to delay notification and documented the request. That does not appear to be the case here.

As it turns out, DataBreaches.net has been provided with information that suggests that CoPilot’s entire description of the incident may require significant clarification with respect to a number of their statements. DataBreaches.net is in the process of investigating the newly obtained information.

But the main point remains: as noted in Protenus’s annual review and their January report, third-party incidents account for a disproportionate percentage of breached records and may result in significantly delayed notifications. DataBreaches.net will continue to monitor the impact of third-party breaches on the overall state of breaches involving health data.

——

The following is a list of incidents that were disclosed in January. If there is no link for the entity, it means this site was unable to find any information on the breach, even though this site did send email inquiries to a number of sites throughout the month:

Category: Breach IncidentsCommentaries and AnalysesHealth DataOf NoteSubcontractorU.S.