Study: 30 Percent of Patient Data Breaches Involve Business Associates | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Study: 30 Percent of Patient Data Breaches Involve Business Associates

September 21, 2016
by Heather Landi
| Reprints
Click To View Gallery

So far in 2016, third-party data breaches have impacted 4.5 million patients, indicating that third-party business associates pose an alarming risk to patient data, according to a new report from Protenus and

Breaches involving business associates or vendors accounted for a disproportionate amount of affected patients and breached records for the first eight months of 2016, with 30 percent of breaches and 35 percent of breached records reported to the U.S. Department of Health and Human Services’ (HHS) public breach portal are a direct result of third parties, according to the report.

In fact, the report authors contend that based on data form HHS, the 193 breach incidents that occurred through August 2016 impacted 12,801,481 patients. Based on an analysis by Protenus and, there were at least 4.5 million patients affected by a breach involving a third party vendor or business associate, for a mean of 79,008 patients or records per incident. The mean number of records per incident for the 135 incidents that did not involve third parties was 62,004.

“It appears, then, that breaches originating with third parties were associated with 27 percent more affected patients per incident than originating at providers or health plans,” the report authors wrote.

The study authors note community physicians, affiliates, and certain vendors often have extensive access to patient data in the electronic health record (EHR). And, the increased number of users with EHR access creates a huge vulnerability for healthcare systems and a headache for compliance teams. While vendors are often long-time trusted partners, relationships that add a large number of new EHR users or provide vendor employees with access to patient data create significant patient privacy monitoring challenges.

The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule requires all covered entities have Business Associate Agreements (BAAs) in place by September 22, 2014 to govern and regulate how electronic protected health information (ePHI) flows between covered entity and the business associate and spells out what business associates need to do to comply with HIPAA requirements. However, many business associates operate without BAAs in place.

In the past year, HHS’s Office of Civil Rights (OCR) has penalized healthcare organizations and their vendor partners with large fines for potential HIPAA privacy violations. Oregon Health and Science University agreed to a $2.7 million settlement and OCR alleges it found that OHSU stored over 3,000 individuals’ ePHI in a cloud computing system without any BAA with the cloud computing vendor.

Catholic Health Care Services, a business associate providing management and information technology services to six skilled nursing facilities, agreed to pay $650,000 as part of a settlement for potential violations stemming from a data breach due to the theft of a mobile device.

Advocate Health Care Network will pay $5.55 million to settle charges stemming from multiple breaches, one of which involved a hacking incident at its business associate. HHS OCR charged Advocate Health with failing to obtain written business associate contracts.

According to the report, examined the rate and impact of third-party breaches in 2016 and conducted a month-to-month recap which indicated that 60 breach incidents were attributable to third parties. According to the report authors, third-party vendor breaches are more frequent than HHS’s breach portal tool suggests. A close reading of HHS’s closing notes for incidents makes clear that BAs and vendors are involved in more incidents than the tool reports, the report authors note.

“It appears that when covered entities report incidents, they often do not recognize that there is a way to indicate that a business associate had been responsible for the breach. There is an  option labeled, ‘Are you a Covered Entity filing on behalf of a Business  Associate?’ but some entities think, ‘I’m not filing on their behalf,’ so they  don’t pick that option,” the report authors wrote.

“If HHS/OCR wants entities to take business associate security seriously, it would help if the public breach tool yielded a more accurate estimate of what percent of breaches and records were a result of business associates or third parties,” the report authors stated.

An examination of third-party incidents indicates that insider and external incidents appeared equal in terms of frequency, however, this might not tell the whole story in terms of impact or risk of harm. For instance, a hacking incident involving vendor Bizmatics earlier this year, which was previously reported by Healthcare Informatics, affected multiple healthcare providers and so far it appears that those incidents affected up to 150,000 patients, most it’s likely even more patients were impacted.

In order to protect patient information, the report authors assert that healthcare institutions and their partners to focus on, and invest in, collaborative, on-going, and continuous processes that will protect the institution’s data over time.

The report outlines a number of recommendations to reduce business associate risk. For healthcare organizations, a top priority is to ensure up-to-date BAAs are in place. “Have a process to both standardize and regularly review this process, as these documents form the legal core of your BA management program,” the report authors wrote.

Healthcare organizations also need to retain and update human resources data to understand individual users and their roles within the system. And, healthcare organizations need to effectively manage the identities of individuals with access to EHR systems, whether an employee or a BA.

Additionally, healthcare organizations need to implement a proactive security posture rather than a reactive one, such as deploying a privacy analytics platform to identify and resolve privacy violations quickly and efficiently.

The report also recommends healthcare organizations take steps to understand the risks associated with subcontractors to business associates or vendors by asking to review the sBAAs (Subcontractor Business Associate Agreements) with BAs that have access to an extensive amount of the organization’s data.

The report authors also recommend that HHS amend its breach portal to more accurately reflect the prevalence and scope of third-party breaches. “In the interim, we encourage covered entities to require greater physical and technical safeguards for PHI held by third parties and to audit compliance with those requirements throughout the year,” the report authors wrote.



Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.

Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.