March 15, 2017//Ellen NeveuxLast Updated: June 04, 2021
Brand New Day health plan ended the year with every healthcare provider’s worst nightmare. An unauthorized person breached the records of 14,000 patients through a third-party vendor. The California-based, Medicare-approved company learned about the breach on December 28, 2016 and notified the California’s Office of Attorney General and the U.S. Department of Health & Human Services. Brand New Day then sent notices to the affected patients in March, upon conclusion of a law enforcement investigation.
According to Brand New Day, the third-party vendor accessed the patients’ name, birth date, Medicare ID number, address and phone number. The company assured patients that driver’s license and California identification numbers were not compromised – but who really knows for sure?
What happened and what was done about it?
Here’s how it happened:
Among other changes, Brand New Day implemented new procedures that require verification of each user on a monthly basis. Unfortunately, this is the equivalent of locking the barn door after all the horses escaped.
A Brand New Day in healthcare data security
Data security is especially important to healthcare providers, which are subject to strict HIPAA regulations and Medicaid rules regarding patient privacy. The healthcare provider has a duty to put safeguards in place to protect sensitive data. Even if a third-party is to blame for a security breach, the healthcare provider is ultimately liable.
Healthcare providers typically hire a third-party vendor to handle records transmission and storage. Whereas these third-party vendors serve a vital function in the healthcare system, they are also often the weak link in data security.
Of course, hacking and destruction of electronic information is a concern, but breach most commonly results from unauthorized access or disclosure, as occurred in the Brand New Day breach.
Therefore, policies that address access are a key aspect of any data security plan.
Within its own operations, a health care provider can prevent an unauthorized person from accessing sensitive data by implementing security protocols such as the following:
A healthcare company should expect these same policies, in addition to auditable reports and clear data integrity standards, from its third-party vendors.
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.