October 19, 2020

Volume X, Number 293

October 19, 2020

Subscribe to Latest Legal News and Analysis

Latest HIPAA Breach Involves Medical Records Hack of Business Associate

Regular readers of the blog won’t be surprised to hear that there has been another data breach, this time involving a business associate in charge of storing medical records on behalf of health care providers and insurers. AltaMed Health Services (AltaMed) and California Physicians Services (doing business as Blue Shield of California (BSC)) recently received notice from their business associate, Sharecare Health Data Services (SHDS), of a hack of SHDS’s network that stores patients’ medical records.  The hacker was able to acquire and/or access patients’ protected health information (PHI) contained in the medical records kept by SHDS on behalf of AltaMed and BSC. The breach of AltaMed’s data was discovered on June 22, 2018, and the breach for BSC was discovered a few days later on June 26, 2018. Upon investigation, however, officials determined that both breaches went undetected for over a month and actually began on May 21, 2018. SHDS did not notify AltaMed or BSC of the breach until December 31, 2018.

The exact number of affected individuals is not yet certain but is at least into the thousands. In AltaMed’s notification of the data breach to California’s Attorney General on February 15, 2019, AltaMed reported that it had already notified 5,767 California residents of the breach.  In addition, BSC stated in its press release that the breach affected about 18,000 of its members. 

BSC also notified California’s Attorney General as required by state law and included a template notice letter that it sent to affected BSC members.  The letter sets forth the type of compromised information, including a patient’s “name, address, date of birth, Blue Shield subscriber number, name and address of a clinic or facility that provided your health services and in some instances the name of your health care provider, your medical record number and internal SHDS processing notes.” BSC stated in the letter that it took “immediate steps” to prevent further breach after discovery on June 26, 2018. SHDS hired Mandiant, a global forensic firm, to assist in the investigation of this breach.

As we’ve previously discussed on the blog, covered entities need to stay vigilant not only of their own compliance with HIPAA’s privacy and security rules but also that of their vendors who may have access to PHI.  Even though the breach occurred at the business associate and not the covered entity, the covered entity is still responsible for providing notice to affected individuals, which often requires significant money and resources.  Breaches caused by business associates can lead to costly investigation, notification, and mitigation efforts for covered entities. Therefore, covered entities should work to ensure that:

  • They have business associate agreements in place with all vendors that handle PHI;

  • They have performed due diligence on their vendors;

  • They have included contractual protections in their underlying services agreements and business associate agreements with business associates, including indemnification provisions; and

  • They have reviewed their cyberliability insurance coverage and understand their policies' coverage of breaches by vendors.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume IX, Number 65


About this Author

Kristen A. Marotta Associate  Hospitals & Health Systems Physician Organizations

Kristen focuses her practice on health care transactions, regulatory matters, and general contracting. Her experience includes counseling clients on both investing in and exiting from the health care space, drafting compliance plans and policies, facilitating deals and conducting due diligence to assess risk, addressing employment issues for health care entities, and assisting companies with formation and reorganization.

Prior to joining Mintz, Kristen was an associate...

Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney

Sarah Beth’s practice involves a variety of regulatory, transactional, and enforcement defense matters for clinical laboratories, hospitals, pharmacies, insurers, and other health care clients.

Sarah Beth routinely advises clients on a wide variety of federal and state health care regulatory issues, including anti-kickback and self-referral laws, licensure and scope of practice rules, telemedicine, certificate of need applications, food and drug law, and HIPAA compliance. She also handles licensure and regulatory filings for clinical laboratories and other health care providers.

On the transactional side, Sarah Beth provides regulatory counsel for mergers and acquisitions involving pharmacies, pharmacy benefit managers, and other health care providers. She has assisted clients with due diligence, licensing, change of ownership, and contract drafting and negotiation.

Sarah Beth’s enforcement defense experience includes representing health care clients in criminal and administrative actions brought by federal and state agencies for potential violations of the federal anti-kickback statute, the Stark Law, and the False Claims Act. She has also has experience in internal investigations and compliance programs.

Sarah Beth actively participates in Mintz’s pro bono program. Currently, Sarah Beth represents children seeking Special Immigrant Juvenile (SIJ) Status from the U.S. Citizenship and Immigration Services. The SIJ program is available for foreign children who have been abused, abandoned, and neglected and have come to the United States.