Healthcare News & Insights

Vendor mistake causes breach of 32,000 patients’ data

Hospitals have a lot to worry about when it comes to protecting the sensitive patient data they hold on their premises. But organizations can also be on the hook when data breaches occur at third parties they contract with. 

information-securityThat was the lesson learned recently by Cogent Healthcare, based in Brentwood, TN, after a mistake by a contractor led to a possible breach of 32,000 patients’ protected health information.

The vendor, India-based M2ComSys, was hired to transcribe care notes dictated by doctors. The firm stored those notes on what was supposed to be a secure website. However, the information remained publicly accessible because the vendor apparently failed to activate a firewall.

The data was left open from May 5 until Cogent discovered the issued on June 24, the Tennessean reports. It’s unclear if any unauthorized people tried to access the data, but those notes contained information including patients’ names, dates of birth, diagnosis and treatment summaries, and medical history. Copies of medical records and Social Security numbers weren’t included, Cogent said.

Watch for third-party security

Although the incident occurred at a third party, HIPAA still required Cogent to notify patients and report the breach to the feds and media outlets.

While handing sensitive data off to another organization always has some level of risk, hospitals can take steps to make sure they’re only working with vendors that take security seriously.

A survey last year found that many healthcare providers skip some critical best practices when evaluating third parties’ security. Among the 250 organizations polled by HIMSS:

  • Only 56% require vendors that hold sensitive medical data to conduct periodic risk assessments
  • Just 56% require proof of employee background checks from third parties, and
  • Only 50% require third parties to verify that their employees have received proper security training.

To keep information safe, those and other security measures should be part of the criteria used to evaluate potential vendors.

Also, when contracting with third parties, it’s critical that hospitals look closely at vendor contracts to make sure those organizations will be be held accountable to protect patients’ medical information and other sensitive data.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.