Bansley and Kiener (B&K), a Chicago-based certified public accounting firm, reported multiple data breaches to the Office for Civil Rights (OCR) that resulted in over 70,000 individuals having personally identifiable information (PII) exposed.
These individuals are people "whose employers or other business entities retained Bansley to manage their payroll, pension, health insurance, personal health information, and/or other benefits," according to a class-action lawsuit that was filed against B&K.
The lawsuit alleges that B&K didn't notify affected individuals for nearly a year and are responsible for "failure to properly secure and safeguard personal identifiable information."
The data security incident was first detected by B&K on December 10, 2020. It appears that ransomware had encrypted the network.
According to the CPA firm, it addressed the incident by using backups to restore the impacted systems and made upgrades to its computer security .
"We believed at the time that the incident was fully contained and did not find any evidence that information had been exfiltrated from our environment," B&K said in a statement.
However, on May 24, 2021, B&K discovered that sensitive information, like names and Social Security Numbers, were exfiltrated from its system from an unauthorized individual. Subsequently, an investigation was launched and a cybersecurity firm was brought in to assist. In August 2021, the cybersecurity firm confirmed that a data theft occurred.
B&K then took over 5 months to send a notification to OCR and affected individuals about the data breach.
Business associates are required to report data breaches to the OCR within 60 days of discovery. The delayed notification is considered a HIPAA violation, and it could result in fines or corrective action plans.
Read more: What to do after you violate HIPAA
Besides the OCR, B&K is also facing trouble with affected individuals over the delayed notification. A class-action lawsuit was filed against the CPA firm shortly after it admitted to the data breach.
The lawsuit claims that B&K failed to "provide timely, accurate and adequate notice (of the data breach) to Plaintiff and Class Members whose employers or other business entities retained Bansley," and alleges that unencrypted PII was was exposed "due to Bansley’s negligent and/or careless acts and omissions."
The lawsuit also takes issue with Bansley resuming normal operations after detecting the data breach and taking several months to hire a cybersecurity firm to investigate the incident. Plaintiff Gregg Nelson is seeking damages and other equitable relief for himself and anyone else impacted by the data breach.
Class-action lawsuits are not unheard of when a data breach occurs. Covered entities and business associates, like US Fertility and Blackbaud , often find themselves sued for negligence and not keeping protected health information (PHI) secure.
A robust cybersecurity system should never be an afterthought. It's important to consistently stay proactive against potential threats to your network. Business associates that store, transmit, or have access to PHI have an obligation under HIPAA to put in place reasonable safeguards to protect PHI.
Some of these safeguards can include:
Email is often the most common threat vector for cybercriminals to infiltrate your network because it exposes the weakest link in your cybersecurity.
Phishing emails rely on human error and social engineering to convince people to download or click on links containing malicious software. Covered entities should take precautions in ensuring that their employees don't fall victim to phishing emails.
One way to accomplish this is to have a strong inbound email security system. Paubox Email Suite Plus automatically encrypts every email sent, and it also blocks malicious emails from even entering your employee's inbox.
Our HITRUST CSF certified software includes a business associate agreement (BAA) in every plan, so you can rest assured that we take protecting your inbox seriously.