Earlier this year, in March, nearly 60 healthcare providers were informed that their third-party vendor, Shields Health Group, suffered a major data breach. During this cyberattack, approximately 2 million patients had their data compromised.
In the wake of this massive breach, healthcare organizations are reviewing their security measures and considering what steps to take in case one of their vendors is compromised.
What If Your Data Is Breached?
If there is a data breach, your organization's Privacy Officer and Data Protection Officer must act quickly and coordinate key responders, including your HIPAA Compliance Officer, legal team, third-party risk assessment team, incident response team, and IT department. That team should work with the vendor to determine how much data was compromised, what action the vendor is taking to investigate and report the breach, and maintain continuous communication with specific legal and incident response personnel.
It's important to fully understand what is being done by the vendor for short-term mitigations, such as monitoring patient credit or identifying thieves, as well as long-term mitigations and remediations over the next three to six months. Your internal teams should also identify and understand the legal and regulatory ramifications of the vendor breach as it pertains to your organization and its patients. And determine the reporting or investigative proceedings requirements for your organization, per regulatory and legal requirements such as those outlined in the HIPAA Breach Notification Rule.
At a minimum, a risk reassessment should be performed on the vendor within six months of the data breach. That time should be sufficient to allow the vendor to perform the investigation, implement mitigations and remediations, and review lessons learned before the reassessment.
What If Your Data Is Not Breached?
What should you do if your vendor suffered a data breach, but your organization's data was not compromised? It’s still necessary for your organization to follow up with the vendor regarding the action they have taken in response to the attack.
It's necessary to confirm that the vendor will provide a public report of the findings as soon as possible. However, a vendor may be limited in what it can disclose outside of public notifications and updates based on the facts of the breach and the status of any ongoing criminal investigation. If this is the case, your organization can monitor the vendor during the investigation period by using routine check ins with key internal teams and by using a continuous monitoring approach. Your third-party risk assessment team should still plan to reassess the vendor no later than six months from the time of the breach.
Steps for Responding to a Third-Party Data Breach
- Confirm Official Letter. As soon as you become aware of a breach, contact your Privacy or Data Protection Officer to talk to your vendor and determine if your data was compromised. If so, your legal team and other key team members from incident response and third-party risk management should discuss the details of the breach and the investigation with your vendor.
- Confirm Investigation. If your data isn’t part of the breached data set, reach out to the vendor to confirm details of the breach and inquire, at minimum, if an investigation is underway as well as what they are doing for short-term and long-term mitigations.
- Take Internal Action. If your data is part of the breached data set, know what legal, regulatory, and investigative actions your organization needs to take. Those actions should include notifying HIPAA and your patients of the breach.
- Check In Periodically. Perform routine check ins with the vendor for investigative updates and to confirm which mitigations or remediations have been implemented.
- Continuously Monitor. Continually monitor the vendor and consider using a monitoring solution, such as risk alerts and monitoring services.
- Reassess. Schedule a risk reassessment on the vendor no later than six months after the breach. The reassessment may be conducted sooner depending on the compromised data's scope and the investigation's length.
The key to responding to a third-party data breach is communication. HIPAA requires business associates, also known as high-risk vendors, to report a breach of your PHI to you no later than 60 days after the breach occurred. Vendors must notify your organization within this timeframe or sooner of any breaches involving sensitive data, including proprietary or internal data.
When your organization is notified of a breach, it’s extremely important to communicate with your vendors and ask the right questions. It's necessary to understand the scope of the breach. Additionally, knowing how the vendor is investigating, reporting, and mitigating the breach will enable your organization to determine what steps it needs to take to ensure compliance with regulatory requirements and protect its patients.