HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Vendor Configuration Error Results in Exposure of 14,000 Individuals’ ePHI

A major breach of electronic protected health information has been discovered by Universal Care, dba, Brand New Day – A Medicare approved health plan.

On December 28, 2016, Brand New Day became aware that an unauthorized individual had gained access to ePHI provided to one of its HIPAA business associates. Access to ePHI was gained via a third-party vendor system used by Brand New Day’s contracting provider six days previously on December 22, 2016.

The breach notification submitted to the California attorney general does not indicate whether the ePHI of plan members was stolen, although the data were accessed and a criminal investigation into the breach has been launched by law enforcement. The types of data accessed include plan members’ names, addresses, phone numbers, dates of birth and Medicare ID numbers.

Upon discovery of the incident, Brand New Day immediately launched an investigation and contacted its vendor to ensure that access to ePHI was immediately terminated. The vendor was informed that someone had improperly accessed plan members’ data and rapid action was taken to block access. Brand New Day says the error that allowed ePHI to be accessed was eliminated ‘within hours’ of its vendor being notified of the breach.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While no specific mention of the exact nature of improper access was made, Brand New Day says “We changed our practices regarding access requiring monthly verification of each user.” Brand New Day is also performing a thorough ‘self audit’ to determine whether any other errors have occurred that jeopardize the confidentiality, integrity and availability of ePHI.

As a precaution against identity theft, all affected individuals have been offered 12 months’ complimentary identity theft mitigation services via Experian.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 14,005 individuals were impacted by the incident. Brand New Day says it delayed the issuing of breach notification letters so as not to interfere with the criminal investigation of the breach.

HIPAA and Business Associates

Before any electronic protected health information is provided to a business associate, a signed copy of a business associate agreement must be obtained. The business associate agreement should explain the need to comply with the HIPAA Privacy, Security, and Breach Notification Rules and the need to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI is not put at risk. The BAA should also explain the procedures for notifying the covered entity in the event of a breach of ePHI.

A BAA will not necessarily prevent breaches of ePHI, although it will ensure that business associates are aware of their responsibilities to safeguard ePHI and issue notifications in the event of a breach. Should any violation of HIPAA Rules occur, it would likely be the business associate that is liable, rather than the covered entity. Since the introduction of the HIPAA Omnibus Rule, business associates of HIPAA covered entities can be fined directly by OCR and state attorneys general if HIPAA Rules are discovered to have been violated.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.