In December 2022, Oklahoma-based Avem Health Partners, a provider of administrative and technology services to healthcare organizations, released a data breach notification. The third-party breach occurred at 365 Data Centers, a storage vendor used by Avem.
This breach was one of the final healthcare breaches of 2022. While not the largest breach of the year, it does once again demonstrate how vulnerable healthcare organizations are to cyberattacks.
SEE ALSO: This year’s largest healthcare data breaches
What happened to Avem Health Partners and how can other healthcare organizations avoid business associate breaches?
What happened?
Within its short notice, Avem outlined what it knew about the breach at 365 Data Centers. The company contacted Avem about the breach on September 9, 2022. It discovered that an unauthorized party may have accessed information on its servers in May 2022.
According to a lawsuit against the vendor, 365 Data Centers “suffered a ransomware attack that caused the shutdown of their entire cloud network and loss of its clients’ data and critical infrastructure.” 365 Data Centers’ website and customer portal were inaccessible, and service was halted.
Once notified, Avem conducted a review of its files. Those compromised files with 365 Data Centers contained protected health information (PHI) such as:
- Names
- Dates of Birth
- Social Security Numbers
- Driver’s license numbers
- Health insurance numbers
- Diagnosis and treatment information
The U.S. Department of Health Office for Civil Rights’ (OCR) Breach Portal lists the breach as a hacking/IT incident affecting 271,303 individuals. At this time, not much else is known except that a law firm initiated an investigation into Avem Health Partner’s role in the breach.
Healthcare business associates
Most covered entities do not handle all healthcare-related activities by themselves. Rather, they have business associates to help them out. A business associate is a person or entity that performs certain functions or activities that involves PHI.
READ MORE: What are business associates’ responsibilities under HIPAA?
In this case, 365 Data Centers is a business associate of Avem Health and many other organizations. One of the roles of a business associate is to help a covered entity comply with the HIPAA Privacy Rule. And just like healthcare covered entities, business associates must be HIPAA compliant.
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI, but they must receive assurance that the information is protected through a signed business associate agreement (BAA). There is no mention if Avem Health had a contract with 365 Data Centers.
Unfortunately, business associates frequently have data breaches. This breach shows that a third-party vendor can be problematic, especially when these companies do not use strong security measures.
Third-party vendors and data breaches
As we stated, business associates are critical to proper healthcare delivery. Unfortunately, vendor breaches are known to cause massive disruptions in all sectors. In 2020 alone, we witnessed devastating breaches at Colonial Pipeline, SolarWinds, and Accellion.
Business associates were at the center of nearly 40% of 2022’s reported breaches on OCR’s portal. More than 30 organizations were impacted by a single business associate breach at Ciox Health.
LEARN ABOUT: Most of the 10 largest healthcare data breaches in 2022 are tied to vendors
According to the American Hospital Association, business associate breaches “are high-probability, high-impact events.” And their repercussions are as costly since each healthcare organization may be hit with a HIPAA violation. Moreover, a single breach of a business associate can injure multiple healthcare organizations and patients.
Protection against vendor breaches
There are several ways to ensure vendors utilize strong cybersecurity. First, as stated by HIPAA, covered entities and business associates must sign a BAA. This ensures that these vendors remain vigilant when working with PHI. And before a covered entity signs the agreement with a business associate, it is necessary to:
- Understand employed security measures
- Require similar features to its own
- Control the type of information accessible
- Identify all users/devices with access
Furthermore, healthcare organizations must continually review their contracts and the state of their PHI.
Avem is currently reevaluating its vendor relationships given what happened though it may be too late. The blame can fall onto a covered entity if they knowingly sign or skip a BAA with a breached business associate.
Finally, business associates themselves must ensure that they utilize HIPAA compliant technical, administrative, and physical safeguards when dealing with PHI. This includes employee awareness training, strong access controls, firewalls, and encryption.
Moreover, enabling HIPAA compliant email, like Paubox Email Suite, is crucial to safeguarding all data accessible through email.
All business associates must use strong security like Paubox
Phishing emails are one of the most common threat vectors used to gain access to any system. Paubox Email Suite offers a variety of features to keep email safe and secure from cyberattacks.
CHECK OUT: HIPAA compliance for email in 3 easy steps
Not only does Paubox use automatic email encryption, but we also offer to sign a BAA for all of our customers. Indeed, our HITRUST CSF certified solution requires no change in email behavior. It works with any existing email platform, such as Microsoft 365 and Google Workspace.
Our Plus and Premium plans have robust inbound security tools that protect inboxes from ransomware, viruses, and phishing attacks. We also have advanced security tools to protect data, including ExecProtect and Zero Trust Email.
HIPAA compliant email and strong email security have never been easier. Ensure your patients' data remain safe and secure, even from cyberattacks against business associates.
Kapua Iao
