A Brand New Day in Third-Party Data Breach

March 15, 2017//Ellen Neveux

Last Updated: November 18, 2020

Brand New Day health plan ended the year with every healthcare provider’s worst nightmare. An unauthorized person breached the records of 14,000 patients through a third-party vendor. The California-based, Medicare-approved company learned about the breach on December 28, 2016 and notified the California’s Office of Attorney General and the U.S. Department of Health & Human Services. Brand New Day then sent notices to the affected patients in March, upon conclusion of a law enforcement investigation.

According to Brand New Day, the third-party vendor accessed the patients’ name, birth date, Medicare ID number, address and phone number. The company assured patients that driver’s license and California identification numbers were not compromised – but who really knows for sure?

What happened and what was done about it?
Here’s how it happened:

  • Brand New Day discovered that an unauthorized person was able to access protected health information stored on the third-party vendor’s computer.
  • Brand New Day immediately notified the third-party vendor, which took rapid action to correct the error that led to the data breach and enhanced its security measures.
  • In addition, the company reviewed its existing data policies and procedures to identify how the error occurred and could be avoided in the future.

Among other changes, Brand New Day implemented new procedures that require verification of each user on a monthly basis. Unfortunately, this is the equivalent of locking the barn door after all the horses escaped.

A Brand New Day in healthcare data security
Data security is especially important to healthcare providers, which are subject to strict HIPAA regulations and Medicaid rules regarding patient privacy. The healthcare provider has a duty to put safeguards in place to protect sensitive data. Even if a third-party is to blame for a security breach, the healthcare provider is ultimately liable.

Healthcare providers typically hire a third-party vendor to handle records transmission and storage. Whereas these third-party vendors serve a vital function in the healthcare system, they are also often the weak link in data security.

Of course, hacking and destruction of electronic information is a concern, but breach most commonly results from unauthorized access or disclosure, as occurred in the Brand New Day breach.

Therefore, policies that address access are a key aspect of any data security plan.

Within its own operations, a health care provider can prevent an unauthorized person from accessing sensitive data by implementing security protocols such as the following:

  • Restricted, identity and role-based access
  • Data encryption (keep in mind that HIPAA doesn’t consider the loss of encrypted data to be a breach)
  • Strict password rules
  • Automatic logoff
  • Risk assessment training
  • Strict Bring Your Own Device (BYOD) policies
  • Security audit
  • Offer ongoing HIPAA training to employees

A healthcare company should expect these same policies, in addition to auditable reports and clear data integrity standards, from its third-party vendors.

About SecureLink

Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.

close close