By Jack Anderson
May 15, 2013
| More details from Presbyterian Anesthesia Associates breach, Kyle Murphy, PhD | Date May 15, 2013 |
Once again we see a business associate (BA) cause a data breach and the covered entity (CE), in this case Presbyterian Anesthesia Associates gets the blame. Although in this case the BA lost the business. BA Tracker helps the CE discover BAs that are not compliant and are at risk for data breaches, before they happen. Take a look at www.compliancehelper.com/ba
Here is the whole article:
Pursuant to a law in North Carolina, the Identity Theft Protection Act of 2005, businesses or government agencies are required to report details about security breaches to the state’s Attorney General’s Office. Editors from HealthITSecurity have acquired a copy of the North Carolina Security Breach Reporting Form submitted by Presbyterian Anesthesia Associates, which provides further information about the breach.
The security breach was discovered on April 18 and reported to the NC Attorney on May 8. Of the 9,988 estimated individuals affected by the breach, an estimated 9,000 are state residents. As noted in the initial coverage of the breach, a security flaw enabled a hacker to access the names, contact, dates of birth, and credit card numbers of these individuals.
As the Security Breach Reporting Form reveals, the breach occurred on a server used by E-Dreamz, Inc., the Charlotte-based company hired by Presbyterian Anesthesia Associates to operate and maintain its e-commerce service. The medical practice has subsequently switched to a new service provider in the wake of the incidence.
The description of the data breaches says that an “unauthorized person gained access to E-Dreamz’s server via a software vulnerability and stole key enabling person to decrypt and take patient payment information.” The information on the server was encrypted using 128-bit AES (Advanced Encryption Standard) encryption.
Presbyterian Anesthesia Associates notified state residents in writing. No details are mentioned about notifying the remaining individuals affected by the data breach.
The Federal Bureau of Investigation is currently investigating the cybercrime.