How to Respond to a Data Breach From a Third Party

Executive Summary

As healthcare organizations continue to rely on services from third-party vendors, it’s important providers understand what steps to take when one of their vendors incurs a data breach. An appropriate response is critical for a provider to avoid potential HIPAA data breach violations and the accompanying fines and penalties.  

Recommended Actions 

• Ensure that your practice has a system and all staff are trained to flag notices from your vendors about HIPAA data breaches. These notices can come through the mail or email. 
• Ensure that your practice’s incident report system is up to date and all staff are trained regarding their roles. If your practice does not have such a system in place, make sure your staff knows who to immediately contact for guidance regarding your practice’s response to a data breach notice. 
• Ensure that your practice maintains accurate copies of all licensure renewal applications.

Healthcare is one of the most vulnerable industries to cyberattacks. Although most cyberattacks happen because of human error within an organization, more healthcare organizations are experiencing data breaches from third-party vendors. A third-party vendor is an entity contracted with the healthcare organization to provide items or services such as electronic health record (EHR) systems and IT security systems. Fifty-one percent of organizations across all industries have experienced a data breach caused by a third party.

According to the Ponemon Institute/IBM Security study, healthcare organizations take, on average, 96 days to discover a data breach and 236 days to recover from one. Data breaches in the healthcare industry spiked 55 percent in 2020. 

With cyberattacks becoming more prevalent, it’s important that an organization have a plan in place to respond to notification of a data breach from a third party. This article describes how healthcare organizations should respond when they receive notice of a third-party breach and best practices for mitigating the extent of future breaches.

Action to Take When Receiving Notice of a Third-Party Data Breach

Healthcare organizations typically receive notice of a data breach days, or even months, after it actually occurred. The third-party vendor usually sends a letter or email notifying the organization of a data breach. If your organization receives a data breach notice, it should be considered as an important document and maintained in an administrative file after the following steps are taken. 

Healthcare organizations should read the notice carefully and assess what information, and to what extent their information, was compromised. It is also important to reach out to the third party that sent the notice if more information about the breach is required, including whether the third party has remedied the breach on its end.

After reading the notice, if the data breach is still ongoing, healthcare organizations should activate their incident response plan to mitigate the damage. If you haven’t created an incident response plan for data breaches, consider hiring outside counsel to guide the response efforts. PolicyOwners can also review sample data breach incident responses on MagMutual’s Cyber Center located within the “My Account” section of the MagMutual online portal.

Data Breach Planning and Reporting Requirements

1. Implement a Data Breach Response Plan - An incident response plan is crucial in responding to a data breach. Implementing an incident response plan effectively requires running routine practice drills so medical staff can act immediately upon notification of a data breach. Activating the incident response plan requires good communication internally and externally. The healthcare organization’s data breach incident response plan should already have a point of contact assigned for communication purposes. The point of contact can gather statements from the third party about the data breach, update internal staff on the breach and handle pre-planned statements to update patients whose information may be compromised. If the data breach affects the healthcare organization, implementing the incident response plan involves containing the data breach from your end as set out in the data breach incident response plan. Once the third party or healthcare organization has contained the data breach, then follow the next steps in your incident response plan. 
2. Preserve Evidence of a Data Breach-  Keep the notification of the data breach and follow the procedures in your incident response plan for how to preserve and document evidence. Work with the affected third-party vendors on isolating malware. Having evidence of the malware will facilitate reporting the data breach to authorities. Forensic investigators can use this evidence to determine when and how the alleged breach took place and recommend steps for restoring the network or data. Documenting this evidence will help healthcare organizations cooperate with authorities and may help defend themselves in a potential lawsuit.
3. Notify Relevant Authorities about the Data Breach - Once a breach occurs, notify certain authorities of the breach. Which authorities to notify and what healthcare organizations can disclose depends on many factors.

HIPAA Breach Notification Rule 

The HIPAA Breach Notification Rule and the HIPAA Privacy Rule govern federal disclosure requirements about an alleged breach for most healthcare organizations. MagMutual has created a HIPAA toolkit for its policyholders, including a data breach notification analysis, which can be found here.

Even if third parties were the subject of a data breach, healthcare organizations and third parties still must demonstrate that the use or disclosure of protected health information (PHI) did not result in a breach as defined in HIPAA regulations. To determine whether a breach occurred, organizations must consider the following factors:     

1. What was the nature and extent of PHI data involved?
2. Who was the unauthorized person who used PHI?   
3. To whom was the disclosure made? 
4. Was PHI actually acquired or viewed?
5. What was the extent to which the risk to PHI has been mitigated?

Under HIPAA, business associates (third parties) must notify covered entities (healthcare organizations) of a HIPAA data breach within 60 days of discovering the breach. Organizations must notify individuals whose information was affected by the data breach. Disclosure requirements to the media and HHS also depend on the nature and extent of the breach.

The HIPAA Security Rule requires healthcare organizations to conduct risk assessments to security systems and report their findings. The Security Rule also requires organizations to have a contingency plan in place for responding to disruptions to EHR.

If you are unsure about which disclosure requirements apply, consider reaching out to MagMutual or your internal HIPAA compliance officer or engaging an outside attorney.

State and Local Disclosure Requirements for HIPAA Data Breaches

Healthcare organizations may also have to consider state and local laws in the event of a HIPAA data breach caused by a third party. State and local laws may have shorter reporting times than federal laws. These requirements may apply depending on the information the state law protects, industries the state law applies to, and the size and extent of the data breach. A state-by-state chart of disclosure requirements can be found here.

Obtain a Root-Cause Analysis of the Data Breach from the Third-Party Vendor

After the third-party vendor or IT system provider has contained the data breach, organizations should obtain a root-cause analysis from the affected third party. 

Assessing Relationships with Third-Party Vendors

Healthcare organizations should treat third-party risk as their own risk. Therefore, organizations should require third parties to maintain compliance with security requirements under applicable privacy and security laws. Compliance with security requirements should include assurance from third parties that their security systems comply with applicable federal, state and local privacy and security laws.

Healthcare organizations should also review their Business Associate Agreements (BAAs) with third parties. BAAs should include provisions about how third parties will identify and notify organizations of a data breach. BAAs should define a data breach and include exact timeframes in hours or days about when third-party vendors must notify healthcare organizations of a breach. BAAs should also include provisions about data storage and disposal, descriptions of vendor’s privacy and security programs, right-to-audit clauses, and protocols for disclosing when deficiencies in security systems have been identified.

Institute and Follow Policies and Procedures for Monitoring and Screening Third Parties

First, healthcare organizations must identify their third parties. Many third parties also subcontract their services to other third parties. And smaller arrangements may hold higher risk than larger arrangements.
Once organizations have identified their third parties, they should develop a risk profile for their third parties that focuses on a third party’s control and financial stability. Healthcare organizations can complete privacy and risk assessments by having their third parties complete questionnaires and surveys, as well as performing on-site visits.

• Monitoring Third Parties - Healthcare organizations should interview and audit their third parties. These interviews and audits will help assess third parties’ security standards and best practices to determine if they meet the organization’s standards. MagMutual offers guidance concerning questions organizations should ask their IT vendors about their cybersecurity. Healthcare organizations should also monitor data entering and leaving the organization. They should ensure data, like PHI, is encrypted to and from third parties.
• Screening Third Parties - Healthcare organizations should develop processes for assessing new third parties. Organizations should ask questions to prospective third-party vendors about their security, especially what vulnerabilities exist in their security and what protocols they have when a cyberattack occurs. Healthcare organizations should also consider implementing a “least privilege” policy covering who inside the organization can access what type of data and networks. This policy should also apply to third parties.

Ensure that All Third Parties Are Operating with Similar Security Controls

Personal devices can create problems for healthcare organizations because they may not be as secure as organization-approved devices. Similar security controls allow organizations to control security measures.
Healthcare organizations should categorize third parties in terms of risk. In doing so, they should determine the amount of risk that they are willing to accept from third parties, especially ones that may have a high impact on the organization.

Healthcare organizations should determine what services not only require third-party assessment but also insurance through the organization. 

How Can Third Parties Make It Right after a Data Breach?

After a third-party data breach, a healthcare organization and its third-party vendor may want to maintain their professional relationship. Organizations should reach out to the vendor’s sales representative to see what kind of items or services the vendor offers to other clients in the event of a data breach, such as a discount for services, credit monitoring to patients, assurance, ability to modify the agreement, and reimbursement for expenses arising from the data breach.

If the agreement does not indicate how third parties will reimburse healthcare organizations for a data breach, they should negotiate with the vendor about how the organization will be reimbursed for expenses associated with the data breach, including notification expenses, liability expenses and other expenses that helped mitigate the data breach. If the third-party vendor is not willing to negotiate, consider engaging an outside attorney.

If healthcare organizations believe legal action is necessary because of the data breach, they should review their contract with the third-party vendor to see what legal recourse is available. Examples of legal recourse include arbitration and mediation. If the healthcare organization decides legal action is necessary, consider engaging an outside attorney.

Additional Resources

• Grant Thornton LLP & Association of Healthcare Internal Auditors – Third-Party Relationships and Your Confidential Data
• Manatt, Phelps & Phillips, LLP – Business Associate Compliance with HIPAA
• Security Boulevard – Healthcare Providers Can Improve Third-Party Management
• RSI Security – Basics of Third-Party Risk Management in Healthcare

Lessons Learned:

• If an organization is affected by a data breach through a third-party vendor, consider consulting with MagMutual or outside counsel early in the process regarding reporting requirements you may have. 
• Vet your third-party vendors before entering into business associate agreements and allowing them access to your patient’s PHI. Talk with at least two other providers before choosing a vendor.
• Collect all documentation related to a data breach and store everything in a safe location. 

Potential Damages

Failure to appropriately safeguard your patient’s protected health information from cybersecurity attacks and data breaches could be a HIPAA violation, resulting in financial penalties and fines to your practice. Further, delays in notifying patients of any data breaches could also result in a HIPAA violation. Although these violations carry serious damages, the frequency of such incidents is relatively low.