Configuration Error From Supplier Caused The Breach Of Ephi Of 14,000 Individuals

Universal care found a serious breach of PHI. On 28 Dec, 2016, Brand New Day found that an unauthorized individual got access to the PHI that was send to one of the business associated. The information was obtained by a third party supplier system that was used by the company’s contract provider. This incident happened 6 days ago on 22nd Dec 2016. The incident notification that was differed to attorney general of California does not contain any information about the affected members of the incident. Although, the information was breaches and the criminal investigation was immediately started by law.

The information obtained contains the names, the addresses, and the date of birth, the ID numbers and the phone numbers of the people. After getting the breach information, Brand New Day took immediate step for investigation and ensured that the receiving party has terminated the access to PHI completely. They also notified vendors that some unauthorized members have obtained access to the PHI and its access should be blocked immediately. So, Brand New Day stated that the access to the ePHI has been eliminated and they took this action after notifying the supplier.

Although the right nature of the unauthorized access was not known, Brand New Day stated, “we have changed our rules and policies for access, it requires the verification of the users on monthly basis.” Brand New Day also conducted some other audits to check either there is any other issue that can harm the availability, integrity and confidentiality of the information. As a result, all the affected people have been allowed to get an annual services for theft security through Experian. The incident report that is provided to the Department of Health and Human Services’ OCR shows that 14,005 people were really affected by the issue.

Business Associates and HIPAA

A signed copy of the contract with business associate should be obtained before providing PHI to them. The contact with the Business associate should include the privary policy of HIPAA, its breach notification and rules and the implementation, the availability of PHI, integrity and confidentiality and all important points. It should also include the process of notifying the people, if they have any breach of information.

The contract will definitely not prevent the breaches in the future, but it will definitely clarify the responsibilities of the parties. In case, if there is any breach then the business associate will be liable to fulfill the loss.