Get Live Chat Request a Callback Get live demo

← Back

The Health Equity Breach: What We Can Learn

Public Policy

Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.

securityBreachLocks

HealthEquity provides employees at companies across the United States access to workplace benefits, like health savings accounts and commuter options for public transit and parking. At its February earnings, HealthEquity said it had more than 15 million total customer accounts.

How did this breach occur?

The breach occurred because one of HealthEquity’s vendor accounts was compromised and their password stolen which was used by hackers to access the data repository.

Why is this event important to you?

Here we have a case where a large provider of service experienced a breach because one of their vendors was compromised. You may have a service that you share patient information with, for example a provider of Durable Medical Equipment. It is probable the vendor works with vendors to provide third party services such as prior authorization, printing and sending of statements, data aggregation for reporting purposes, or other add on items that are vital to their business. Perhaps they have accountants or other professionals who have access to their systems.

You and your vendor both may have strong security systems in place but a third party that integrates into their software and systems may have a security lapse. This lapse could result in a hacker getting access to all of the patient information held by your vendor – YOUR PATIENT INFORMATION. It is important to remember – even though the information is being stored in the computer systems of your vendor, it is still your responsibility. This is why it is vital you have a Business Associate Agreement with ALL vendors who you share patient information.

Unless the BAA says it is the responsibility of the vendor to cover all costs associated with the breach, the financial burden for the costs of the breach are YOURS.  It is your practice that will be investigated by the Federal Office for Civil Rights, or your State Attorney General. This event has become your problem.

This is one example of something that can go wrong and is completely beyond your control. This is why you need HIPAA Breach and Cybersecurity Insurance. Steps to take today – make sure you have an insurance policy with enough limits of liability to protect you in case you fall victim to a breach beyond your control.  Ask your insurance carrier if they will cover you if the breach occurs at a Business Associate – this is a very important question to ask.  Make sure that you have Business Associate Agreement with all vendors that you share patient information. Lastly, make sure the BAA states the vendor is responsible for as many of the financial costs for a breach that happens to their systems. It is always a good idea to have your health care attorney look at all Business Associate Agreements.

The world of cybersecurity and breaches is getting less secure every day and the need for to you to take all steps possible to protect yourself becomes more important every day.



Avatar photo
Michael Brody, DPM
Dr. Brody has been actively involved in computers and medicine since the 1980s. He is a Residency Director at a VA hospital located in Long Island, NY. Notably, he was present as the VA moved from paper records to computerized records. During this time, he was exposed to the stringent rules and regulations that government employees must adhere to when protecting patient information. He co-founded TLD Systems with Warren Melnick. They wanted to create a platform for private practice doctors that provides a cost-effective method of implementing HIPAA compliance in their practices. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-chair of the EHR workgroup at Health Level Seven International (HL7). He co-founded TLD Systems with Warren Melnick to create a platform that doctors who wish to work in private practice have a cost-effective method of implementing HIPAA compliance in their practices in a manner that does not interfere with their ability to practice medicine. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-Chair of the EHR workgroup at Health Level Seven International (HL7)

Topic: Public Policy


Other Resources Related to This Topic


MACRA/MIPS

Promoting Interoperability 2025 Guide

Use this step-by-step guide in conjunction with the AdvancedMD Help Files or the MIPS Promoting...

MACRA/MIPS

MIPS Value Pathways (MVP) 2025 Highlights

Each MVP includes measures and activities from the quality performance category, improvement activities performance category,...

MACRA/MIPS

Traditional MIPS Highlights 2025

2025 updates for Traditional MIPS Highlights.