Managed Health Services becomes first organization to be listed on ‘HIPAA Wall of Shame’ in 2019

The protected health information of more than 30,000 US patients may have been compromised following a data breach impacting Managed Health Services (MHS) of Indiana.

According to a recent security alert from the organization, which serves Indiana residents through the Hoosier Healthwise and Hoosier Care Connect Medicaid programs, the breach took place after unauthorized persons gained access to employee email accounts at MHS partner LCP Transportation.

“This access took place sometime between July 30 and September 7, 2018,” said MHS. “The incident was caused by a phishing attack on the vendor’s systems.”

Indianapolis-based LCP Transportation provides a range of non-emergency transportation services to hospitals and other healthcare organizations.

Following an investigation into the data breach, MHS said some patient information could have been accessed from the LCP email accounts, including names, insurance ID numbers, addresses, dates of birth, and description of medical conditions.

Third-party perils

While MHS said there was no evidence that its patients’ information had been misused, the incident once again highlights the risks organizations face when entrusting their data to external service providers.

In November last year, Atrium Health released details of a breach that resulted in the personal information of more than 2.5 million people being compromised.

The organization said the breach was the result of attackers gaining unauthorized access to a patient database hosted by AccuDoc Solutions, a third-party provider of payment processing solutions.

“Third-party data breaches are currently a very large concern for companies and organizations of all sizes,” Chris Vickery, director of cyber risk research at UpGuard, told The Daily Swig last year.

“We are going to see more and more complications and liability uncertainties surrounding the growing calamity of third-party data breaches as time goes on.”

The number of potentially impacted patients in the MHS incident (31,300) pales in comparison to the Atrium breach.

However, as required by the US HITECH Act, all breaches of unsecured health information affecting 500 individuals or more must be publicly flagged.

As a result, MHS has the dubious honor of being the first healthcare organization to be listed on the so-called ‘HIPAA Wall of Shame’ in 2019.