Business Associate Exposes 650,000 Patient Records

It took me awhile to track it down but my memory was correct.  Anthem Blue Cross had a similar breach in 2009 when a business associate left patient records exposed on the internet for 5 months after a software upgrade.

Anthem Blue Cross glitch exposed personal data
By SHAYA TAYEFE MOHAJER (AP) – 3 days ago 

LOS ANGELES — About 230,000 Anthem Blue Cross customers have been warned that their personal data, including medical records and Social Security numbers, may have been wrongly accessed following a faulty upgrade of the company's website.

I guess we can feel better that Bon Secour noticed the breach themselves and closed the access in only 4 days.  In the Anthem breach it was five months and 

the breach was noticed by a patient who became the lead in a class action suite against Anthem.

While these were obviously huge breaches by large companies the lesson should apply to small companies as well.  You need to know who has access to your PHI and how well they are protecting it.  The business associate agreement is the first step but not the last.  You need to follow up and be aware of what actions are being taken with your data.  If it is anything close to internet exposure you need to be even more alert.  The main purpose of the Omnibus Rule was to make business associates as responsible as covered entities for protecting PHI.  The main burden for enforcement is on the covered entity.  There are millions of business associates out there and HHS and OCR can't possibly monitor their behavior.  They rely on the covered entity to monitor their business associates and hold them responsible if their business associates cause a breach.

One strategy that we use is to have our clients offer free on-line Security Awareness Training to their business associates.  At a minimum they learn more about their responsibilities and perhaps take their responsibilites seriously.

For more information contact me at

Add Your Comments

(not published)