A Reminder of the Importance of an SRA - Nearly 20 Million Patients Affected by Billing Contractor Breach!
Between August 1, 2018 and March 30, 2019, a recent data breach from Quest Diagnostics was reported May 2019 after an estimated 11.9 million patient's financial data, social security numbers and other medical information was accessed through their business associate (BA), American Medical Collection Agency (AMCA).
The breach occurred when a consultant from the credit card companies breached AMCA's security systems. Hackers commonly target financial collection companies because of the lucrative amounts of stored financial and personal information. Any type of medical stored information is incredibly sought after!
LabCorp, which also utilizes AMCA has also reported a breach of an estimated 7.7 million patients. All data companies, in this case, Quest and LabCorp, have a duty to ensure any BA or contractor is properly safeguarding their patient's personal, medical and financial information.
These breaches serve as great examples of how no matter the size of the company, it will always be the target for hackers to take advantage of. Medical data companies are popular targets due to the vast quantities of sensitive data that is stored such as medical and financial information.
Conducting a security risk analysis (SRA) and reviewing it on an annual basis is an essential part of making sure patients' information is kept safe.
- Is your company protected?
- Do you have HIPAA compliant BA agreements in effect?
- When was the last time your organization completed an SRA?
As these breaches are investigated further it will be interesting to see if either of them had a complete and current SRA in place. It the responsibility of all health care facilities and their business associates to always be aware of all potential risks and vulnerabilities to the confidentiality, integrity, and availability of any protected health information, especially electronic PHI.
Healthcare Compliance Pros recommends that an initial SRA and subsequent reviews thereafter should not be considered optional. In fact, a HIPAA compliant SRA may be a healthcare organization's best defense. For help determining if your SRA is complete please contact your own client representative team today.