Fallout From Accellion, Humana Breaches Puts Focus on Subcontractors, Notifications

In early March, Southern Illinois University (SIU) School of Medicine posted a notice on its website pledging to offer free identity theft protection services for an unspecified number of individuals whose information was on a file transfer appliance (FTA) subject to a cyberattack in December.[1]

“We have no reason to believe that any personal information has been misused for the purpose of committing fraud or identity theft,” SIU said, adding that affected individuals “already or will be notified by SIU.”

But SIU’s optimism may be premature. It is among hundreds of organizations whose documents were on an FTA owned by Accellion Inc., of Palo Alto, that was first attacked Dec. 16 by a criminal hacker organization.[2] Since then, several of those, reportedly including the Jones Day law firm, have received extortion demands.[3]

Concerningly, documents connected to the law firm that include more than 180,000 entries related to prescription information written by a Florida physician have already been exposed on the dark web.[4] Yet, the physician’s office manager told RPP March 5 that she was unaware of the breach, meaning it is unlikely that any patients had been notified.

The Accellion breach puts a spotlight on the interconnectedness of health care today—and the various duties that each holder of protected health information is supposed to perform in the event of an inappropriate disclosure or loss of PHI. In particular, a firm such as Accellion is likely to be a subcontractor of Jones Day and its other clients with PHI, while Jones Day would be expected to be a business associate (BA) of the Florida physician.

Despite their pivotal role to both covered entities (CEs) and BAs, subcontractors may be among the organizations for whom compliance may be a somewhat murky matter.

Erin Smith Aebel, a shareholder in the Tampa, Florida, office of Trenam Law, shared with RPP strategies for both CEs and BAs to ensure effective oversight of subcontractors, including sample agreement provisions.[5]

The Accellion attack was the first recent incident to seemingly center on a subcontractor. The second involved Humana Inc., and officials with the health plan specifically identified a subcontractor of a BA as being at fault.[6]

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field