September 18, 2019

September 18, 2019

Subscribe to Latest Legal News and Analysis

September 17, 2019

Subscribe to Latest Legal News and Analysis

September 16, 2019

Subscribe to Latest Legal News and Analysis

Latest HIPAA Breach Involves Medical Records Hack of Business Associate

Regular readers of the blog won’t be surprised to hear that there has been another data breach, this time involving a business associate in charge of storing medical records on behalf of health care providers and insurers. AltaMed Health Services (AltaMed) and California Physicians Services (doing business as Blue Shield of California (BSC)) recently received notice from their business associate, Sharecare Health Data Services (SHDS), of a hack of SHDS’s network that stores patients’ medical records.  The hacker was able to acquire and/or access patients’ protected health information (PHI) contained in the medical records kept by SHDS on behalf of AltaMed and BSC. The breach of AltaMed’s data was discovered on June 22, 2018, and the breach for BSC was discovered a few days later on June 26, 2018. Upon investigation, however, officials determined that both breaches went undetected for over a month and actually began on May 21, 2018. SHDS did not notify AltaMed or BSC of the breach until December 31, 2018.

The exact number of affected individuals is not yet certain but is at least into the thousands. In AltaMed’s notification of the data breach to California’s Attorney General on February 15, 2019, AltaMed reported that it had already notified 5,767 California residents of the breach.  In addition, BSC stated in its press release that the breach affected about 18,000 of its members. 

BSC also notified California’s Attorney General as required by state law and included a template notice letter that it sent to affected BSC members.  The letter sets forth the type of compromised information, including a patient’s “name, address, date of birth, Blue Shield subscriber number, name and address of a clinic or facility that provided your health services and in some instances the name of your health care provider, your medical record number and internal SHDS processing notes.” BSC stated in the letter that it took “immediate steps” to prevent further breach after discovery on June 26, 2018. SHDS hired Mandiant, a global forensic firm, to assist in the investigation of this breach.

As we’ve previously discussed on the blog, covered entities need to stay vigilant not only of their own compliance with HIPAA’s privacy and security rules but also that of their vendors who may have access to PHI.  Even though the breach occurred at the business associate and not the covered entity, the covered entity is still responsible for providing notice to affected individuals, which often requires significant money and resources.  Breaches caused by business associates can lead to costly investigation, notification, and mitigation efforts for covered entities. Therefore, covered entities should work to ensure that:

  • They have business associate agreements in place with all vendors that handle PHI;

  • They have performed due diligence on their vendors;

  • They have included contractual protections in their underlying services agreements and business associate agreements with business associates, including indemnification provisions; and

  • They have reviewed their cyberliability insurance coverage and understand their policies' coverage of breaches by vendors.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author


Kristen focuses her practice on health care transactions, regulatory matters, and general contracting. Her experience includes counseling clients on both investing in and exiting from the health care space, drafting compliance plans and policies, facilitating deals and conducting due diligence to assess risk, addressing employment issues for health care entities, and assisting companies with formation and reorganization.


Prior to joining Mintz...

Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney

Sarah Beth’s practice focuses on advising health care providers, PBMs, and laboratories on a variety of regulatory issues.

Prior to joining Mintz Levin, Sarah Beth worked as a law clerk with the health staff of the US Senate Committee on Finance, where she researched policy, regulations, and legislation regarding commercial insurance reform, health IT, Medicare, Medicaid, and the Affordable Care Act. She also drafted legislation.

In addition, Sarah Beth worked as a law clerk for a legal practice in Washington, DC. Her experience also includes legal internships with a large, nonprofit health care system and with the International Trade Administration of the US Department of Commerce.