Do You Think Your Customers Care WHY it Took You 2 Years to Tell Them Their Data was Breached?
This is a secondary problem of vendor cyber risk. The first problem is that you are dependent on a lot of vendors. You have to depend on those vendors. If they screw up, you get sued. And you lose customers.
To make matters worse, when one of your vendors gets breached, you are only one of the companies that your vendor is trying to make happy.
And, unless you write your contract correctly, you may be the last to know about the breach.
To make matters worse, you may not even get to be involved in the incident response.
Here is this breach situation.
Adelanto Health Care Ventures is a consulting company that helps medical providers with Medicaid reimbursements.
AHCV discovered suspicious activity on their network on November 5, 2021 (about 17 months ago). The investigated and discovered two email accounts had been hacked.
AHCV, probably on the advice of their attorneys, did not tell their customers about the breach. They said they thought no protected health information had been compromised. Of course, since they did not tell their customers about the breach, the customers could not make their own decision as to the facts.
Or ask why PHI was in their email in the first place.
Assuming there was no specific language in the contract covering this, they probably are not in breach of contract. Assuming they did a slap-dash investigation and didn’t find any problems, they probably are not in violation of HIPAA either.
Depending on what your contract says.
On August 19, 2022 (8+ months ago) they decided that their original assessment was wrong and some PHI may have been compromised. Texas based St. Luke’s Health notified 16,000 patients that same month, so either they told St. Luke’s but not their other customers or we have an amazing coincidence.
Multiple customers noted in their breach notification letters that they “did not receive sufficient information to conduct a breach analysis until December 27, 2022”. Their vendor began notifying these organizations in late January 2023, more than a year after the breach.
The email accounts largely contained patient name, facility names, age, account numbers, admission and discharge dates, insurance carriers and balance information. I am not sure why they qualified contained with the word largely. I assume that means that other information was also compromised.
One client, Suncoast Behavioral Health said they began sending out breach notification letters on March 29, 2023, roughly 18 months after the breach.
Who do you think Suncoast’s and the other’s customers are going to blame? Do you think they even know who Adelanto is? Do you think they care?
Who do you think is going to get hit with the class action lawsuits?
Who do you think it going to get fined by the feds?
It is up to you to manage your vendors and it is hard. I understand that. Possibly these provider’s insurance will still cover them. Assuming they have cyber insurance. Most insurance policies have a “timely notification” clause. Are the insurance companies going to be okay with 18 months being timely? Maybe your insurance is going to tell you to pound sand. You will say that you just found out. They may say that it is not their problem.
We see these stories all the time. This is far from unique.
The message to you is to manage your vendors. If you don’t, you do that at your own peril.
If you need help with your vendor cyber risk management program, please contact us.
Credit: Health IT Security