Breach Notification
,
Cybercrime
,
Fraud Management & Cybercrime
As Vendor Breaches Surge, Medical Practices Need 20/20 Visibility on Third Parties
An Arizona firm that provides administrative services to about a dozen ophthalmology practices in several states is notifying nearly 2.4 million patients of a November hacking incident that may have compromised its sensitive information.
See Also: New OnDemand | Securing the Cloud: Mitigating Vulnerabilities for Government
The data theft is among the latest major hacking incidents reported to regulators by HIPAA-regulated business associates. Last year, 4 in 10 hacks involved a third-party vendor providing one or more of a wide range of services – from bill collecting to transcribing notes – to scores of healthcare organizations.
Medical Management Resource Group, which does business as American Vision Partners, works with – and “shares” a management system, IT and infrastructure with – 12 practices, according to its website. The incident involved the hack of a network server and affected more than 2.35 million individuals, the company said in a Feb. 6 report to the Department of Health and Human Services.
The Tempe, Arizona-based firm said that on Nov. 14 it had detected unauthorized activity on certain parts of its network. MMRG said it had promptly taken steps to contain the incident, including isolating the affected system and engaging assistance from outside cybersecurity firms. The company said it also had notified law enforcement and has taken additional actions to further secure its IT systems.
MMRG said that around Dec. 6, it determined that the “unauthorized party” in the November incident had obtained personal information associated with patients of its affected practices.
The compromised information varies among patients but may include names, contact information, birthdates and medical information including services received, clinical records and medications. For some individuals, the hack also affected Social Security numbers and insurance information.
In a breach notice, MMRG advised affected individuals to take “certain steps” to help protect their sensitive information in the wake of the incident, including keeping a close eye on their credit reports and reviewing their account statements. MMRG is offering affected individuals two years of complimentary identity and credit monitoring.
MMRG did not immediately respond to Information Security Media Group’s request for additional details about the incident, including how many of its ophthalmology practice clients had been affected.
Practices listed on the website include several Arizona-based practices – Barnet Dulaney Perkins Eye Center, Southwestern Eye Center, M&M Eye Institute, Retinal Consultants of Arizona, Aiello Eye Institute and Moretsky Cassidy Vision Correction; two Nevada practices – Abrams Eye Institute and Wellish Vision Institute; two in Texas – West Texas Eye Associates and Laser Eye Center of Lubbock; one in New Mexico – Southwest Eye Institute; and one in central California – Vantage Eye Center.
Vendor Risk
The MMRG incident is one of the latest major health data breaches involving third-party services firms. In 2023, business associates – including bill collection companies, practice management firms and medical transcription services – accounted for nearly 40% or 275 of the 734 major breaches reported to HHS.
Those incidents affected nearly 90.3 million people or about two-thirds of the 135.3 million individuals who were victims (see: How 2023 Broke Long-Running Records for Health Data Breaches).
The largest of those incidents was reported by medical transcription services firm Perry Johnson & Associates, and the breach has affected several large healthcare entity clients and about 14 million people, so far. PJ&A initially reported the incident in November to HHS as having affected nearly 9 million individuals. But in recent months and weeks, several subsequent breaches involving the hack and affecting additional PJ&A clients and millions of their patients have been reported to regulators (see: Therapy Provider Notifying 4 Million Patients of PJ&A Hack).
Vetting Vendor Risk
Healthcare organizations should talk about these recent incidents with their vendors and third-party providers and inquire about the controls and options they have in place, said Dustin Hutchison, vice president of services and CISO at security consulting firm Pondurance.
“The threat landscape and vulnerabilities are constantly changing, so an ongoing examination of how to improve to better serve patients is important,” he said. Vendors and business associates that provide critical services are targets for attacks because they handle large volumes of data, “so the expectations of controls and the ability to demonstrate those controls should be higher.
“Organizations are going to have different requirements, but establishing a strong program baseline for all of their clients should be the norm. Being able to demonstrate an aggressive vulnerability management program with appropriate access controls, auditing and proactive detection and response goes a long way.”
Even smaller medical practices should not be at the mercy of their third-party providers when it comes to security and compliance, especially when they have other options in the market, according to Hutchison.
“Practices of any size should focus on ensuring the security controls they need are available prior to purchase by having the conversation with the vendor and including those requirements in the contract,” he said. Vendors that focus on smaller practices should have a clear understanding of and stance on shared responsibility and why their solution is appropriate for the practice, he added.
“Medical practices should focus on understanding third-party risks by establishing their risk tolerance based on regulatory requirements and necessary security controls to protect their data and environments. The best time to ensure a vendor meets security and compliance requirements is prior to purchase by reviewing the vendor’s processes and controls available and alignment with the practice expectations and needs.”