Cyberattacks on business associates of HIPAA-covered entities have the potential to affect many covered entities and attacks on business associates have increased in recent years. This year has already seen a major ransomware attack on Eye Care Leaders – an electronic medical record provider serving eye care clinics across the United States. The number of eye care providers affected by the incident has not yet been confirmed, but 33 practices have already confirmed they have been affected and the records of more than 2.9 million patients are known to have been exposed and possibly stolen in the attack.
In 2019, the largest data breach of the year was an cyberattack on a business associate – American Medical Collection Agency (AMCA). AMCA was a business associate of many medical laboratories and provided debt collection services. The AMCA cyberattack resulted in the exposure of the data of at least 24 of its healthcare clients and exposed the data of more than 26 million patients.
Last week, just before the July 4 weekend, another major data breach was reported by a business associate that may well eclipse these two data breaches in terms of the number of individuals affected, and certainly does in terms of the number of healthcare providers affected. The number of individuals affected is not yet known, but the breach involved the data of 657 of its healthcare provider clients.
Professional Finance Company Inc. (PFC) is an accounts receivable management company that serves many clients in the healthcare industry and helps them recover outstanding medical bills. In February 2022, PFC detected and blocked a ransomware attack; however, the group behind the attack gained access to files containing sensitive patient data. The data exposed included names, addresses, accounts receivable balances, and information regarding payments made to accounts, along with birth dates, Social Security numbers, health insurance information, and medical treatment information for some individuals.
PFC said it notified affected healthcare provider clients on May 5, 2022, and notification letters are now being sent to affected individuals. Free credit monitoring and identity theft protection services are being provided.
Data breaches at business associates are often reported separately by each affected covered entity, rather than being reported by the business associate. So far, only one of the 657 healthcare providers has reported the breach to the HHS’ Office for Civil Rights – Bayhealth Medical Center. Bayhealth said the records of 17,481 individuals were potentially compromised, giving an indication of the scale of this data breach.