Healthcare organizations have an obligation under HIPAA to safeguard their patients’ protected health information (PHI). When it comes to communication through email, this means utilizing HIPAA email to ensure strong encryption and access controls.
But protecting PHI is not the only responsibility. Healthcare providers must also ensure that the organizations they work with (i.e., their vendors) are HIPAA compliant as well. That’s because a third-party email security risk can be as devastating as one to yourself.
But what can you do to about these organizations, known as business associates under HIPAA, if they are noncompliant? And what do you do if a vendor not only violates HIPAA but does so multiple times, like the vendor Eye Care Leaders (ECL)?
Eye Care Leaders' data breach
ECL is a healthcare business associate based in North Carolina. It offers ophthalmology-specific electronic medical records (EMRs) and practice management systems. The company uses a cloud-based EMR system, called myCare Integrity, to improve workflow for eye care practitioners.
In December 2021, the organization experienced unauthorized access to its EMR system. According to notices provided by ECL, threat actors deleted databases and system configuring files. The company added that the breach did not impact organizations’ internal systems. However, ECL is unsure if the threat actor accessed PHI like names, dates, or Social Security numbers.
Healthcare organizations received notification on March 1, 2022 about the December breach. In return, the affected providers began to inform their patients. We know that the breach impacted at least eight organizations and 342,000 individuals.
The U.S. Health and Human Services (HHS) Breach Notification Portal lists the breach under each individual organization. The portal does not mention ECL.
At this time, we do not know much about what happened. But this incident does shed some light on multiple attacks against ECL in 2021 that the company hid. Given the severity of the incidents, ECL must be under investigation by HHS’ Office for Civil Rights.
Eye Care Leaders: a vendor gone wrong
The HIPAA Privacy Rule allows covered entities to share PHI with business associates if certain provisions are in place. This includes a signed business associate agreement (BAA) that safeguards a covered entity and demonstrates the vendor’s HIPAA compliance.
We do not know which (if any) organizations signed a BAA with ECL. But what we do know is that ECL was not HIPAA compliant and violated HIPAA multiple times in 2021 and 2022.
The incidents impacted over 580,000 individuals through some of the following organizations:
| Ad Astra Eye (3,700) |
Alliance Ophthalmology (unknown) |
Allied Eye Physicians and Surgeons (20,651) |
Arkfeld, Parson, and Goldstein, P.C. (14,984) |
| Associated Ophthalmologists of Kansas City (13,461) |
AU Health (50,631) |
Burman & Zuckerbrod Ophthalmology Associates (1,337) |
Dallas Retina Center (unk) |
| EvergreenHealth (21,000) |
Finkelstein Eye Associates (58,587) |
Fishman vision (2,646) |
Frank Eye Center (26,333) |
| Moyes Eye Center (38,000) |
Northern Eye Care Associates (8,000) |
Regional Eye Associates (194,035) |
Shoreline Eye Group (57,047) |
| Summit Eye Associates (54,000) |
Sylvester Eye Care (19,377) |
Texas Eye and Cataract (unk) |
|
A new lawsuit filed by the Middle District of North Carolina, Alliance Ophthalmology, Dallas Retina Center, and Texas Eye and Cataract contains some interesting claims.
The coverup
First, the providers concealed the initial breaches and the reason for subsequent outages. It appears the first outage occurred in March 2021 with another in April. Rather than admit the attack, ECL misrepresented what happened. The company only told providers that it would restore its system; in fact, some services remained unavailable for months. Moreover, ECL did not report the 2021 breaches as ransomware attacks. Ransomware is malware used to deny a victim access to a system until a ransom is paid.
In a 2016 blog post, we called ransomware “the biggest threat to email security.” And as ECL did not report the breaches, no one knows the extent of PHI access, loss, and exposure.
Finally, ECL failed to timely notify those affected after each incident. As organizations report, the company did not send notice until after the 60-day timeframe specified in the HIPAA Breach Notification Rule.
Other incidents and allegations
The lawsuit further claims that ECL faced another ransomware attack on August 27, 2021. While called an outage by the company, the lawsuit claims that “the attack was by a former ECL employee.” When the employee left, ECL did not revoke access, allowing the employee to wreak “havoc” in the system. The lawsuit states that this is an example of ECL’s “gross negligence.”
RELATED: Are cybercriminals actively recruiting your employees to attack you with ransomware?
Within the pages of the lawsuit, the organizations also notes that ECL manager Greg E. Lindberg was convicted of conspiracy and sentenced to 87 months in prison. It is unknown if there is a connection. Investigations are ongoing.
Why the lawsuit?
Even though ECL claims to have restored services, providers are still experiencing outages and issues, such as:
- Inaccessible and disorganized EMRs
- Inability to bill patients
- Continued system outages
- Lost PHI
- Disrupted patient care
- Problems remaining HIPAA compliant
The providers further state that ECL continued to bill them while refusing to admit what happened.
Vender management and strong cybersecurity
Cybersecurity for vendors must be as strong and secure as the organizations they work for. That is because both parties can be held liable for third-party HIPAA violations. Given the volume and breadth of ECL’s breaches and violations, it is obvious that the company was not HIPAA compliant. The vendor clearly did several things wrong.
SEE ALSO: How healthcare can avoid devastating supply chain cyber attacks
But what exactly should have happened?
Choose vendors wisely
A third-party breach could mean terrible things for a healthcare provider, which is why it is important to vet everyone you work with. Healthcare organizations must start with a vendor assessment to identify potential vendor risks and issues. And if a vendor passes the assessment, sign a BAA for further protection. Work out the details of what you expect from the beginning.
But vender management doesn’t stop there. Organizations must also perform continuous routine checkups and assessments. Even that does not guarantee complete protection from a breach or HIPAA violation. That is why, if one occurs, it is necessary to have all the provisions already in place. Organizations may decide to sever ties; Summit Eye Associates is terminating its relationship with ECL. They may also allow the business associate time to correct the issue; Evergreen Health is looking into several possibilities. Or they may choose stronger remedial measures, such as the three providers suing ECL.
Follow HIPAA guidelines for cybersecurity
The HIPAA Privacy and Security rules provide essential guidelines for the proper protection and disclosure of PHI, whether in paper or electronic (ePHI) form. The idea is to safeguard how healthcare organizations use, disclose, and share PHI. Using the rules as guides, healthcare providers can create policies and procedures on implementing and utilizing strong cybersecurity. These policies would need to include offline backups, physical and technical access controls, and employee awareness training. Moreover, they would need to include strong perimeter defenses such as antivirus or antivirus software.
And to block ransomware, the cause of ECL’s difficulties, strong HIPAA email security with:
- Encryption
- Secure gateways
- Strong access controls
- Data loss prevention (DLP)
- VPNs (virtual private networks)
Kapua Iao
