HealthEquity provides access to workplace benefits for employees at companies across the United States, such as health savings accounts and commuter options for public transit and parking. At its February earnings, HealthEquity said it had more than 15 million total customer accounts.
How did this breach occur?
The breach occurred because a user account of one of HealthEquity’s vendors was compromised. Their password was stolen and used by the malicious hacker to access the data repository.
Why is this event important to you?
Here we have a case where a large provider of service experienced a breach because one of their vendors was compromised. You may have services that you share patient information with, for example an orthotic vendor or provider of Durable Medical Equipment. It is probable that the vendor works with vendors to provide third party services such as prior authorization, printing and sending of statements, data aggregation for reporting purposes, or other add on items that are vital to their business. Or they may have accountants, or other professionals who have access to their systems.
You may have perfect security in your office, your vendor may have perfect security within their systems, but a third party that integrates into their software and systems may have a security lapse. This lapse can result in a hacker getting access to all of the patient information held by your orthotic vendor – YOUR PATIENT INFORMATION. It is important to remember – even though the information is being stored in the computer systems of your vendor, it is still your responsibility. This is why it is vital that you have a Business Associate Agreement with ALL vendors who you share patient information with.
Unless the BAA says it is the responsibility of the vendor to cover all costs associated with the breach, the financial burden for the costs of the breach are YOURS. It is your practice that will be investigated by the Federal Office for Civil Rights, or your State Attorney General. This event has become your problem.
This is just one example of something that can go wrong that is completely beyond your control. This is why you need HIPAA Breach and Cybersecurity Insurance. Steps to take today – make sure you have an insurance policy with enough limits of liability to protect you in case you fall victim to a breach beyond your control. Ask your insurance carrier if they will cover you if the breach occurs at a Business Associate – this is a very important question to ask. Make sure that you have Business Associate Agreement with all vendors that you share patient information with. And try to make sure that the BAA states the vendor is responsible for as many of the financial costs for a breach that happens to their systems. It is always a good idea to have your health care attorney look at all Business Associate Agreements.
The world of cybersecurity and breaches is getting less secure every day and the need for to you to take all steps possible to protect yourself becomes more important every day.
Take the free assessment to see how your office is doing to protect yourself from a breach.
Read Comments