Study: 30 Percent of Patient Data Breaches Involve Business Associates | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Study: 30 Percent of Patient Data Breaches Involve Business Associates

September 21, 2016
by Heather Landi
| Reprints
Click To View Gallery

So far in 2016, third-party data breaches have impacted 4.5 million patients, indicating that third-party business associates pose an alarming risk to patient data, according to a new report from Protenus and

Breaches involving business associates or vendors accounted for a disproportionate amount of affected patients and breached records for the first eight months of 2016, with 30 percent of breaches and 35 percent of breached records reported to the U.S. Department of Health and Human Services’ (HHS) public breach portal are a direct result of third parties, according to the report.

In fact, the report authors contend that based on data form HHS, the 193 breach incidents that occurred through August 2016 impacted 12,801,481 patients. Based on an analysis by Protenus and, there were at least 4.5 million patients affected by a breach involving a third party vendor or business associate, for a mean of 79,008 patients or records per incident. The mean number of records per incident for the 135 incidents that did not involve third parties was 62,004.

“It appears, then, that breaches originating with third parties were associated with 27 percent more affected patients per incident than originating at providers or health plans,” the report authors wrote.

The study authors note community physicians, affiliates, and certain vendors often have extensive access to patient data in the electronic health record (EHR). And, the increased number of users with EHR access creates a huge vulnerability for healthcare systems and a headache for compliance teams. While vendors are often long-time trusted partners, relationships that add a large number of new EHR users or provide vendor employees with access to patient data create significant patient privacy monitoring challenges.

The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule requires all covered entities have Business Associate Agreements (BAAs) in place by September 22, 2014 to govern and regulate how electronic protected health information (ePHI) flows between covered entity and the business associate and spells out what business associates need to do to comply with HIPAA requirements. However, many business associates operate without BAAs in place.

In the past year, HHS’s Office of Civil Rights (OCR) has penalized healthcare organizations and their vendor partners with large fines for potential HIPAA privacy violations. Oregon Health and Science University agreed to a $2.7 million settlement and OCR alleges it found that OHSU stored over 3,000 individuals’ ePHI in a cloud computing system without any BAA with the cloud computing vendor.

Catholic Health Care Services, a business associate providing management and information technology services to six skilled nursing facilities, agreed to pay $650,000 as part of a settlement for potential violations stemming from a data breach due to the theft of a mobile device.

Advocate Health Care Network will pay $5.55 million to settle charges stemming from multiple breaches, one of which involved a hacking incident at its business associate. HHS OCR charged Advocate Health with failing to obtain written business associate contracts.

According to the report, examined the rate and impact of third-party breaches in 2016 and conducted a month-to-month recap which indicated that 60 breach incidents were attributable to third parties. According to the report authors, third-party vendor breaches are more frequent than HHS’s breach portal tool suggests. A close reading of HHS’s closing notes for incidents makes clear that BAs and vendors are involved in more incidents than the tool reports, the report authors note.

“It appears that when covered entities report incidents, they often do not recognize that there is a way to indicate that a business associate had been responsible for the breach. There is an  option labeled, ‘Are you a Covered Entity filing on behalf of a Business  Associate?’ but some entities think, ‘I’m not filing on their behalf,’ so they  don’t pick that option,” the report authors wrote.

“If HHS/OCR wants entities to take business associate security seriously, it would help if the public breach tool yielded a more accurate estimate of what percent of breaches and records were a result of business associates or third parties,” the report authors stated.

An examination of third-party incidents indicates that insider and external incidents appeared equal in terms of frequency, however, this might not tell the whole story in terms of impact or risk of harm. For instance, a hacking incident involving vendor Bizmatics earlier this year, which was previously reported by Healthcare Informatics, affected multiple healthcare providers and so far it appears that those incidents affected up to 150,000 patients, most it’s likely even more patients were impacted.

In order to protect patient information, the report authors assert that healthcare institutions and their partners to focus on, and invest in, collaborative, on-going, and continuous processes that will protect the institution’s data over time.

The report outlines a number of recommendations to reduce business associate risk. For healthcare organizations, a top priority is to ensure up-to-date BAAs are in place. “Have a process to both standardize and regularly review this process, as these documents form the legal core of your BA management program,” the report authors wrote.

Healthcare organizations also need to retain and update human resources data to understand individual users and their roles within the system. And, healthcare organizations need to effectively manage the identities of individuals with access to EHR systems, whether an employee or a BA.

Additionally, healthcare organizations need to implement a proactive security posture rather than a reactive one, such as deploying a privacy analytics platform to identify and resolve privacy violations quickly and efficiently.

The report also recommends healthcare organizations take steps to understand the risks associated with subcontractors to business associates or vendors by asking to review the sBAAs (Subcontractor Business Associate Agreements) with BAs that have access to an extensive amount of the organization’s data.

The report authors also recommend that HHS amend its breach portal to more accurately reflect the prevalence and scope of third-party breaches. “In the interim, we encourage covered entities to require greater physical and technical safeguards for PHI held by third parties and to audit compliance with those requirements throughout the year,” the report authors wrote.



Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



HITRUST CSF Certification Now Includes NIST Cybersecurity Certification

HITRUST has announced that HITRUST cybersecurity framework (CSF) version 9 enhancements now extend an “assess once, report many” approach as a standard security framework for multiple critical infrastructure industries and includes National Institute of Standards and Technology (NIST) Cybersecurity certification.

Premier: Analytics Helping Hospitals to Optimize Blood Use

An analysis of 645 hospitals revealed that comparative data analytics to drive performance improvement has the potential to optimize blood use across numerous diagnoses.

Almost 80 Percent of Clinicians Still Use Hospital-Issued Pagers

A study examining the communication technologies used by hospital-based clinicians found that close to 80 percent (79.8 percent) of clinicians continue to use hospital-provided pagers and 49 percent of those clinicians report they receive patient care-related messages most commonly by pager.

Survey: IT Expenses per Physician Continue to Rise to Nearly $19,000

Information technology (IT) expenses for physician practices are on a slow and steady rise for most practices, and last year, physician-owned practices spent between nearly $2,000 to $4,000 more per FTE physician on IT operating expenses than they did the prior year, according to a recent Medical Group Management Association (MGMA) survey.

Change Healthcare Joins Blockchain Initiative Hashed Health

Nashville-based Change Healthcare, one of the largest independent healthcare IT companies in the U.S., has announced that it has joined the Hashed Health consortium, a firm dedicated to realizing the potential of blockchain and distributed ledger technologies.

Three Large Health Systems Join North Carolina’s HIE

Three of the largest health systems in North Carolina, Duke Health, Novant Health and Carolinas HealthCare System, have signed agreements to connect to NC HealthConnex, North Carolina’s state-designated health information exchange (HIE).