Iowa Reports Third Big Vendor Breach This YearLatest Breach Affects 234,000 Individuals; Involves Recent MCNA Insurance Co. Hack
The state government of Iowa reported to federal regulators a third major health data breach since April involving a third party vendor. In this case, the breach stems from an incident at dental health insurer MCNA Insurance Co., the firm disclosed late last month.
The Iowa Department of Health and Human Services said hackers had compromised the protected health information of nearly 234,000 Iowa residents in an incident that affects nearly 9 million Americans across the country.
Iowa is among more than 100 MCNA clients, which include other state health departments and Medicaid agencies, affected by the incident (see: Dental Health Insurer Hack Affects Nearly 9 Million).
MCNA told Information Security Media Group that the nearly 234,000 Iowa Medicaid members reported by the state as being affected by the incident are also included in MCNA's total of affected individuals nationwide.
This year, Iowa HHS has already reported to federal regulators two other large breaches involving incidents at business associates.
One of those incidents affected 21,000 individuals. It involved a contractor, Telligen, which disclosed a 2022 hacking incident at a subcontractor, Independent Living Systems. The ILS breach affected about 4.2 million people nationwide (see: Long Term Care Services Firm Says Breach Affected 4.2 Million).
On May 26, Iowa reported a breach involving business associate Amerigroup, which "inadvertently disclosed" the protected health information of 833 Iowa Medicaid members to 20 healthcare providers in paper explanation of payment notices.
Three large breaches within weeks of each other illustrates vendor risk challenges that many state agencies face, said Keith Fricke, principal consultant consultancy tw-Security.
Those issues include the large number of third parties that many state agencies deal with and the time it takes to conduct proper risk assessments of those vendors.
"State agencies should try to manage the scope of vendor risk assessments by starting with ones falling into these categories: third parties storing, processing or transmitting large amounts of electronic PHI - and third parties having remote access into state agencies' networks," he told ISMG.
Fricke also said it is critical that state agencies carefully review business associate agreements. That includes ensuring the agreements contain language that sets expectations about timely breach notification and allows the agency to conduct periodic risk assessments of the vendor under reasonable terms and conditions.
"It is not enough anymore to have the required business associate agreements signed. Covered entities need to perform some type of risk assessment on vendors with whom they conduct business," Fricke said.
Susan Lucci, a privacy and security consultant at tw-Security, suggested that covered entities should not be too quick to sign the business associate agreement presented by a vendor. "The covered entity should exhaust all options to get the business associate to sign theirs."
If an entity must sign a vendor's business associate agreement, "then read every line and redline that which does not support the very best protections for the covered entity's data," she said.
"Particularly, review the indemnification clause. If it is not included, add yours in. If it is in favor of the BA, request stronger language. Business associates must recognize their responsibilities - including financial - when they have a data breach."