HIPAA Business Associate Data Breach Impacts 21,856 Individuals

The importance of reviewing system activity logs has been underscored by recent HIPAA business associate data breach.

Nebraska-based CBS Consolidated Inc., doing business as Cornerstone Business & Management Solutions, conducted a routine review of system logs on July 10, 2017 and discovered an unfamiliar account on the server. Closer examination of that account revealed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies.

21,856 patients who received durable medical supplies from the company through their Medicare coverage have potentially been affected. The types of data obtained by the hacker included names, addresses, dates of birth, insurance details, and Social Security numbers. While personal information was exposed, the hacker was not able to obtain details of any medical conditions suffered by patients, nor details of any items purchased or financial information.

It is currently unclear how the account was created, although an investigation into the incident is ongoing. CBS says following the discovery of unauthorized access, the server was isolated and access to data was blocked. Since the incident was discovered, CBS has been carefully monitoring its systems and has uncovered no further evidence of unauthorized access or data theft.

Due to the sensitive nature of data stolen by the hacker, all individuals impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services without charge. CBS is also reviewing its security protections and will be introducing new administrative safeguards, providing additional training to staff members on security, as well as improving technical safeguards to prevent future incidents from occurring.

This is the second worst data breach reported by a HIPAA business associate so far in 2017, behind the 56,000-record breach reported by Enterprise Services LLC in June.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.