Hacks Spotlight PHI Risks For Ambulance Cos., VendorsTwo Breaches Affected a Total of Nearly 400,000 Patients
It's not just medical practices: A pair of hacking incidents involving an emergency medical transport firm and an ambulance billing vendor underscores that protected health information is subject to risk and oversight alike before a patient even steps foot into a hospital.
The two separate incidents include an apparent ransomware breach reported on Sept. 9 by Empress Ambulance Services LLC, a New York-based ambulance company to the Department of Health and Human Services' Office for Civil Rights as affecting nearly 319,000 individuals.
The other incident - a hacking breach reported by Massachusetts-based Comstar LLC to HHS OCR in May as affecting nearly 69,000 individuals - is now the subject of at least two proposed class action lawsuits that were consolidated last week in a Massachusetts federal court. Comstar provides billing, collection and other services to municipal and non-profit ambulance companies.
Empress Ambulance and Comstar are among a broad array of medical transport services providers and their vendors that handle potentially large volumes of patient information. Although collected during times of crisis and other urgent situations, it still must be properly safeguarded.
Ambulance drivers and emergency medical technicians are "constantly in contact" with the protected health information of other covered entities and business associates, says Kate Borten, president of privacy and security consultancy The Marblehead Group.
"Operating in the middle increases their risk of exposing PHI to unauthorized individuals. Additionally, ambulance personnel often face urgent situations that could lead to lapse of judgment in disclosing PHI," she says.
Many companies and their vendors specializing in ambulance-related services also tend to be smaller in size, which can add risk to PHI, Borten says.
"Smaller organizations typically have less robust security and privacy programs, making them potential targets, despite having less data and financial resources than large organizations."
Privacy attorney David Holtzman of the consulting firm HITprivacy LLC recommends any company involved in medical transport should conduct a baseline assessment of compliance with the HIPAA privacy and security standards against their current practices, procedures, and rules. "This should identify any potential exposure within an organization."
Empress Ambulance Breach
In a breach notification statement, Empress says that on July 14, it identified a network incident "resulting in the encryption" of some of its systems.
The company says it took measures to contain the incident, reported it to law enforcement, and conducted an investigation with the assistance of a third-party forensic firm. "Our investigation determined that an unauthorized party first gained access to certain systems on our network on May 26 and then copied a small subset of files on July 13," Empress says.
Some of the affected files contained patient names, dates of service, insurance information, and in some instances, Social Security numbers, Empress says. The company is offering complimentary credit monitoring services to certain "eligible" individuals.
Additionally, to help prevent future similar incidents, Empress says it has strengthened the security of its systems and will continue enhancing its protocols to further safeguard the information in its care.
Empress did not immediately respond to Information Security Media Group's request for additional details about the breach, including the type of ransomware that was apparently involved in the incident.
While Empress deals with the aftermath of its recent hacking incident that affected hundreds of thousands of individuals, billing contractor Comstar is faced with battling a consolidated proposed class action lawsuit filed against the vendor in wake of its hacking incident, which affected tens of thousands of people.
A breach notification statement issued in May says that on or about March 26, the company discovered "suspicious activity" related to certain servers within its environment.
On April 21, the company's investigation into the incident determined that certain systems on its network were subject to unauthorized access. "The investigation was unable to confirm what specific information on those systems was accessed. As such, we reviewed the contents of those systems to determine what information was contained and to whom it related," Comstar says.
The information contained on the affected systems varied by individual but may have included name, date of birth, medical assessment and medication administration, health insurance information, driver’s license, financial account information, and Social Security number.
A complaint alleges that Comstar was negligent in failing to prevent the data breach.
The lawsuits - whose lead plaintiffs had previously received services from various Comstar ambulance company clients - also allege that Comstar's failure to offer credit monitoring ignores the "lifelong harm" plaintiffs and class members now face from cybercriminals.
Comstar did not immediately respond to ISMG's requests for additional details about the breach, including the type of hacking incident that occurred, and for comment on the lawsuit.
Ambulance companies have not been immune to enforcement actions by regulators for health data privacy and security infractions.
HHS OCR in January 2020 hit Georgia-based ambulance company, West Georgia Ambulance, with a $65,000 financial settlement and corrective action plan following a breach the company reported in 2013 involving a lost unencrypted laptop that contained PHI for 500 individuals.
Federal enforcers exercise discretion when deciding whether to go after medical emergency transporters, says Holtzman, a former senior adviser at HHS OCR.
"A volunteer rescue squad that did not have business associate agreements with its IT service provider and other vendors might be allowed to correct its compliance gaps," he says.
A "professional ambulance service that failed to report a breach when its unencrypted laptop was lost in the field might have less opportunity to avoid formal enforcement action."