Briggs Stratton Corporation, a manufacturer of lawnmower engines, has discovered malware was present on its systems which potentially gave unauthorized individuals access to the system where ePHI was stored.
While a lawnmower engine producer may not appear to be a HIPAA covered entity since the firm is not in the healthcare sector and does not provide services to healthcare groups as a business associate the company is still required to adhere with HIPAA Rules.
When Briggs Stratton experienced the potential breach of employee details, the company was legally obliged to report as it was an OCR required notification, and notification letters had to be issued to its work force.
As it maintains a self-insured group health plan, Briggs Stratton was required to comply with HIPAA Rules. Employers and health plan sponsors are required to ensure that HIPAA policies are implemented for their group health plans, that any ePHI created, accessed, stored, or transmitted is secured to the standards required by the HIPAA Security Rule and all HIPAA Rules are respected. That includes completing business associate agreements with any group that has access to the ePHI of its staff, is provided with ePHI, or has access to systems storing ePHI.
When there is a breach of that information regarding employees, the HIPAA Breach Notification Rule is applicable. In the scenario with Briggs Stratton, the breach was a hacking/IT incident leading to a potential unauthorized disclosure of ePHI. Malware was found on its systems which potentially gave unauthorized people access to the IT system where ePHI was kept. Access to the system was possible for time between July 25 and July 28, 2017.
Biggs Stratton became knowledgeable of the incident on July 25, and implemented measures to limit the attack. A law enforcement investigation into the incident meant that notifications were delayed until September 30, 2017.
The breach affected 12,789 of its workforce and potentially lead to the exposure of names, addresses, dates of birth, driver’s license numbers, Social Security numbers, health plan IDs, insurance information, passport numbers, work-related evaluations, and login credentials to its work and IT systems. No signs of misuse of any health plan data has been found, although work force members affected by the breach have been offered credit monitoring and identity theft protection services for 12 months for free. Measures have also been implemented to strengthen security to prevent similar incidents from being experience in the future.
The incident will be a timely reminder that not all HIPAA covered entities fall under the standard classification of healthcare providers, health plans or business associates, and even firms not directly involved in healthcare may also be required to comply with HIPAA Rules and can face financial sanctions for non-compliance with HIPAA Rules.
Briggs Stratton was well aware of its responsibilities and implemented a HIPAA compliance program, acting properly and quickly accordingly when a potential data breach happened.