August 11, 2020

Volume X, Number 224

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

Benefit Vendors’ Security Practices

Most employers use vendors to assist with managing various employee benefits, including payroll, health and dental benefits, pharmacy, cost-reduction strategies, retirement, analysis and wellness programs.

When using these vendors, the personal information of employees is provided to the vendor in data dumps. Usually that means that the vendors receive employees’ names, addresses, dates of birth, financial information, salary information, benefit elections, beneficiaries and other dependents, and oftentimes, full Social Security numbers.

Because benefit vendors are receiving high-risk data, they are considered high-risk vendors and companies may wish to consider completing security questionnaires or other due diligence regarding the vendors’ security practices.

Case in point is the recent successful credential hack of Benefit Recovery Specialists (BRS). BRS provides billing and collection services for health care entities. It is reported that more than 274,000 individuals are being notified by BRS that their data may have been compromised as a result of a malware incident that was discovered on servers on April 30, 2020.

According to BRS, a hacker successfully accessed an employee’s credentials to hack into the network for approximately 10 days. During that time, 274,000 individuals’ names, dates of birth, provider names, procedure codes, and dates of service, as well as some Social Security numbers, may have been accessed or compromised.

Although not confirmed, this sounds like a phishing incident. To avoid such a compromise, take care to assess the security practices of vendors and third-party service providers when transmitting high risk employee, customer or patient information to them. The integrity of a business’ security is only as good as that one employee who clicks on a phishing email.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 198


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...