Cyber Security Threat Summary:
The state government of Iowa has recently reported its third major health data breach since April, all involving third-party vendors. The most recent breach occurred at dental health insurer MCNA Insurance Co., with the Iowa Department of Health and Human Services disclosing that hackers compromised the protected health information of nearly 234,000 Iowa residents. This incident has affected approximately 9 million Americans nationwide, including other MCNA clients such as state health departments and Medicaid agencies, including Iowa. MCNA confirmed that the 234,000 affected Iowa Medicaid members reported by the state are also part of the total number of affected individuals nationwide.

This year, Iowa's Department of Health and Human Services has already reported two other significant breaches involving incidents at business associates. One breach affected 21,000 individuals and was traced back to a hacking incident at contractor Telligen, which had occurred at a subcontractor called Independent Living Systems (ILS). The ILS breach impacted around 4.2 million people across the country.

On May 26, Iowa reported yet another breach involving business associate Amerigroup. In this case, Amerigroup inadvertently disclosed the protected health information of 833 Iowa Medicaid members to 20 healthcare providers through paper explanation of payment notices.

Security Officer Comments:
The occurrence of three significant breaches within a short period highlights the vendor risk challenges faced by many state agencies. As organizations expand, the sharing of mission-critical data becomes more crucial. To facilitate this, new connections are established to meet business requirements. This is referred to as "business-to-business (B2B) connectivity." B2B connectivity enables organizations to communicate and collaborate seamlessly, enabling the exchange of vital data and information. However, while these connections are necessary for efficient operations, they also introduce security risks that organizations must carefully manage and mitigate.

Suggested Correction(s):
Organizations should prioritize vendor risk assessments for third parties that handle large amounts of electronic protected health information or have remote access to their networks. Organizations should carefully review business associate agreements, ensuring they include provisions for timely breach notification and allow for periodic risk assessments. It is no longer sufficient for covered entities to simply sign the required agreements; they must also conduct risk assessments on their vendors. Consultants advise covered entities to explore all options before signing a vendor's business associate agreement and to scrutinize the agreement's indemnification clause to ensure the best protection for their data. Business associates must acknowledge their responsibilities, including financial, in the event of a data breach.

Link(s):
https://www.bankinfosecurity.com/iowa-reports-third-big-vendor-breach-this-year-a-22236