In mid-March, the regulator responsible for privacy in healthcare announced that it will investigate a ransomware incident that took down a massive healthcare claims processing platform in February. The Change platform, owned by United, suffered a hack that halted payments, prescription refills, and other tasks, greatly straining many healthcare support resources. Now, the incident is being reviewed for whether it also compromised patient medical privacy.
Why It Matters
Two things make this story important.
First, it once again shows that vendor management is a critical part of cyber and privacy planning. Your company is only as secure (and compliant) as its weakest link – and that link may be a supplier. Particularly where the vendor has access to personal/regulated data, or where you depend on it for clearance of payments, try to secure coverage and assurances in case things go wrong.
Second, it is one of many, many recent examples of regulators at the state and local level expressing heightened interest in and attention to consumers' health information and the effort to keep it secure. Here, there may be HIPAA violations, but the regulators are throwing increasingly wide nets that don't require a HIPAA claim to cause company headaches. If you have consumer health, medical, location, or well-being data: lock it down and take steps to document how you secure it.
Subscribe to Taylor English Insights by topic here.
/Passle/61f3627a0c51c3165820f0e7/MediaLibrary/Images/5ff4a070535488111cdbfec9/2024-01-17-18-25-18-859-65a81b8e3f5d760a89621ac7.png)
