Complete Story
 

09/18/2024

Breach at a Revenue Cycle Management Company

EngageMED is a healthcare support services provider based in Little Rock, Arkansas.. EngageMED provides a range of services for healthcare providers, including revenue cycle management, practice operational support, network services and more

On August 30, 2024, EngageMED filed a notice of data breach after discovering that an unauthorized party was able to access the company’s IT network. As reported, the incident resulted in unauthorized access to names, addresses, dates of birth, Social Security numbers, medical information, health insurance information, and claim information.

This is just the most recent breach of Health Information to hit the news.  EngageMED provides services to healthcare providers, and whereas the breach did not happen directly to the healthcare provider, this still has an impact on the providers who shared their data with EngageMED.

Incidents of this nature underscore the importance of having valid Business Associate Agreements with each of the organizations that you share Health Information with.    In this breach EngageMED sent out data breach letters to anyone who was affected by the recent data security incident.

Your Business Associate Agreement should clearly specify who is responsible for notifying patients of a breach when it happens at a Business Associate and who is responsible for the costs associated with the breach. 

Important questions each healthcare provider must ask is:
How many of MY patients were involved in this breach?

One of the provisions of the Breach Notification Rule is that if the breach involves more than 500 patients a notice must be posted publicly notifying patients in the community about the breach.   Who is responsible for this public posting and how will it impact health care providers?

These are questions that need to be asked of your Healthcare Attorney and if your patients are involved in this breach or are involved in a similar breach by one of your business associates what are your responsibilities?

The next question to ask is how does my Cybersecurity / HIPAA Breach Insurance policy cover me in case of a breach of this nature?  Is there a specific exclusion if the breach occurs at a Business Associate?  If this exclusion exists it is vital to make sure that the Business Associate is responsible for all financial costs associated with the breach and that the Business Associate has adequate Cybersecurity / HIPAA Breach Insurance.

If you are a TLD systems client and you learn of a breach at one of your Business Associates, please reach out to us and we will assist you in assessing your responsibility in responding to events of this nature.

For more information contact TLD Systems at:
(631) 403 6687
Info@tldsystems.com
https://www.tldsystems.com

Printer-Friendly Version