St. Luke’s Health reports data breach

St. Luke’s Health reported a data breach involving almost 17,000 patients, as a result of a hack into a third-party vendor’s email system.  Two employees of the vendor had their email accounts hacked which lead to the breach of personally identifiable information, diagnoses, and other elements of PHI.

It is vital to ensure that third-party vendors who have access to your PHI/PII are fully vetted from a HIPAA Security & Privacy perspective.  Conducting due diligence of these vendors, during the contracting/vendor approval process will help evaluate their:

• Policies & procedures (Does their P&P meet HIPAA Security & Privacy Standards?  Does the staff understand the P&P and actively follow them?)
• Security posture (e.g., encryption (data at rest and in transit), data loss prevention protocols, HRAs, enforceable TLS, multi-factor authentication)
• Training & education (Do they actively conduct social engineering testing to ensure their staff know how to spot a phishing attack and not click on a link that may be compromised by a malicious actor?  Do they know how to spot a “fake” email address?)

Conducting vendor risk assessments help to evaluate, limit, and mitigate potential risk with a third-party vendor.  Knowing and understanding these risks will help make well informed decisions prior to signing a vendor agreement.

Read the article here.