Earlier this year, in March, nearly 60 healthcare providers were informed that their third-party vendor, Shields Health Group, suffered a major data breach. During this cyberattack, approximately 2 million patients had their data compromised.
In the wake of this massive breach, healthcare organizations are reviewing their security measures and considering what steps to take in case one of their vendors is compromised.
If there is a data breach, your organization's Privacy Officer and Data Protection Officer must act quickly and coordinate key responders, including your HIPAA Compliance Officer, legal team, third-party risk assessment team, incident response team, and IT department. That team should work with the vendor to determine how much data was compromised, what action the vendor is taking to investigate and report the breach, and maintain continuous communication with specific legal and incident response personnel.
It's important to fully understand what is being done by the vendor for short-term mitigations, such as monitoring patient credit or identifying thieves, as well as long-term mitigations and remediations over the next three to six months. Your internal teams should also identify and understand the legal and regulatory ramifications of the vendor breach as it pertains to your organization and its patients. And determine the reporting or investigative proceedings requirements for your organization, per regulatory and legal requirements such as those outlined in the HIPAA Breach Notification Rule.
At a minimum, a risk reassessment should be performed on the vendor within six months of the data breach. That time should be sufficient to allow the vendor to perform the investigation, implement mitigations and remediations, and review lessons learned before the reassessment.
What should you do if your vendor suffered a data breach, but your organization's data was not compromised? It’s still necessary for your organization to follow up with the vendor regarding the action they have taken in response to the attack.
It's necessary to confirm that the vendor will provide a public report of the findings as soon as possible. However, a vendor may be limited in what it can disclose outside of public notifications and updates based on the facts of the breach and the status of any ongoing criminal investigation. If this is the case, your organization can monitor the vendor during the investigation period by using routine check ins with key internal teams and by using a continuous monitoring approach. Your third-party risk assessment team should still plan to reassess the vendor no later than six months from the time of the breach.
The key to responding to a third-party data breach is communication. HIPAA requires business associates, also known as high-risk vendors, to report a breach of your PHI to you no later than 60 days after the breach occurred. Vendors must notify your organization within this timeframe or sooner of any breaches involving sensitive data, including proprietary or internal data.
When your organization is notified of a breach, it’s extremely important to communicate with your vendors and ask the right questions. It's necessary to understand the scope of the breach. Additionally, knowing how the vendor is investigating, reporting, and mitigating the breach will enable your organization to determine what steps it needs to take to ensure compliance with regulatory requirements and protect its patients.