A third-party vendors’ data breach exposed over 2,000 MassHealth patients’ PHI.
Standard Modern Company (SMC) is a New Bedford, MA based vendor that provides mailings for MassHealth members on behalf of the Massachusetts Executive Office of Health and Human Services (EOHHS.)
As a business associate for MassHealth, SMC reported the data breach to the US Department of Health and Human Services Office for Civil Rights on July 20.
According to the published security incident report: “On May 24, 2021, SMC was notified that some MassHealth members received notices that were mailed between May 10, 2021, and May 18, 2021, that contained personal information about other members”. This is a breach and violation of privacy practices.
Even though the fault was clearly with SMC, the US Department of Health and Human Services Office for Civil Rights will hold both SMC and MassHealth responsible when the fines come rolling out.
Any medical organization, as a HIPAA covered entity, is responsible for the actions of their business associates or third party vendors. Their breaches are your breaches. Your BA Agreements and liability insurance coverage should reflect that fact.
Have your business associates been properly vetted? Contact Alaris Threat Mitigation today to make sure: firstname.lastname@example.org