View Full Threat Report
Iowa Reports Third Big Vendor Breach This Year
[ Posted: 2023-06-06 ]
Cyber Security Threat Summary:
The state government of Iowa has recently reported its third major health data breach since April, all involving third-party vendors. The most recent breach occurred at dental health insurer MCNA Insurance Co., with the Iowa Department of Health and Human Services disclosing that hackers compromised the protected health information of nearly 234,000 Iowa residents. This incident has affected approximately 9 million Americans nationwide, including other MCNA clients such as state health departments and Medicaid agencies, including Iowa. MCNA confirmed that the 234,000 affected Iowa Medicaid members reported by the state are also part of the total number of affected individuals nationwide.
This year, Iowa's Department of Health and Human Services has already reported two other significant breaches involving incidents at business associates. One breach affected 21,000 individuals and was traced back to a hacking incident at contractor Telligen, which had occurred at a subcontractor called Independent Living Systems (ILS). The ILS breach impacted around 4.2 million people across the country.
On May 26, Iowa reported yet another breach involving business associate Amerigroup. In this case, Amerigroup inadvertently disclosed the protected health information of 833 Iowa Medicaid members to 20 healthcare providers through paper explanation of payment notices.
Security Officer Comments:
The occurrence of three significant breaches within a short period highlights the vendor risk challenges faced by many state agencies. As organizations expand, the sharing of mission-critical data becomes more crucial. To facilitate this, new connections are established to meet business requirements. This is referred to as "business-to-business (B2B) connectivity." B2B connectivity enables organizations to communicate and collaborate seamlessly, enabling the exchange of vital data and information. However, while these connections are necessary for efficient operations, they also introduce security risks that organizations must carefully manage and mitigate.
Suggested Correction(s):
Organizations should prioritize vendor risk assessments for third parties that handle large amounts of electronic protected health information or have remote access to their networks. Organizations should carefully review business associate agreements, ensuring they include provisions for timely breach notification and allow for periodic risk assessments. It is no longer sufficient for covered entities to simply sign the required agreements; they must also conduct risk assessments on their vendors. Consultants advise covered entities to explore all options before signing a vendor's business associate agreement and to scrutinize the agreement's indemnification clause to ensure the best protection for their data. Business associates must acknowledge their responsibilities, including financial, in the event of a data breach.
Link(s):
https://www.bankinfosecurity.com/iowa-reports-third-big-vendor-breach-this-year-a-22236
The state government of Iowa has recently reported its third major health data breach since April, all involving third-party vendors. The most recent breach occurred at dental health insurer MCNA Insurance Co., with the Iowa Department of Health and Human Services disclosing that hackers compromised the protected health information of nearly 234,000 Iowa residents. This incident has affected approximately 9 million Americans nationwide, including other MCNA clients such as state health departments and Medicaid agencies, including Iowa. MCNA confirmed that the 234,000 affected Iowa Medicaid members reported by the state are also part of the total number of affected individuals nationwide.
This year, Iowa's Department of Health and Human Services has already reported two other significant breaches involving incidents at business associates. One breach affected 21,000 individuals and was traced back to a hacking incident at contractor Telligen, which had occurred at a subcontractor called Independent Living Systems (ILS). The ILS breach impacted around 4.2 million people across the country.
On May 26, Iowa reported yet another breach involving business associate Amerigroup. In this case, Amerigroup inadvertently disclosed the protected health information of 833 Iowa Medicaid members to 20 healthcare providers through paper explanation of payment notices.
Security Officer Comments:
The occurrence of three significant breaches within a short period highlights the vendor risk challenges faced by many state agencies. As organizations expand, the sharing of mission-critical data becomes more crucial. To facilitate this, new connections are established to meet business requirements. This is referred to as "business-to-business (B2B) connectivity." B2B connectivity enables organizations to communicate and collaborate seamlessly, enabling the exchange of vital data and information. However, while these connections are necessary for efficient operations, they also introduce security risks that organizations must carefully manage and mitigate.
Suggested Correction(s):
Organizations should prioritize vendor risk assessments for third parties that handle large amounts of electronic protected health information or have remote access to their networks. Organizations should carefully review business associate agreements, ensuring they include provisions for timely breach notification and allow for periodic risk assessments. It is no longer sufficient for covered entities to simply sign the required agreements; they must also conduct risk assessments on their vendors. Consultants advise covered entities to explore all options before signing a vendor's business associate agreement and to scrutinize the agreement's indemnification clause to ensure the best protection for their data. Business associates must acknowledge their responsibilities, including financial, in the event of a data breach.
Link(s):
https://www.bankinfosecurity.com/iowa-reports-third-big-vendor-breach-this-year-a-22236
Cyber Security Cafe
Cyber Security Cafe is a private public service and offers no goods or services other than posting the current cyber threats we are facing and what we can do to prevent us from being affected and if we are, what we can do to correct the problems and to avoid intrusions in the future.
- Prevention often means not accepting the 'easy' ways.
- Most of Modern Technology exists in order to obtain your personal data.
Current Threats
Current Treats so you the latest and often most dangerous cyber threats. They indicate where they orininated from, and what areas they are targeting. By knowing in advance you can take precautionary actions now, before it's too late.
Cyber Solutions
Are a group of tools and information that is designed to keep you up to date and to give you the tools to protect both your network and equipment. Most of the tools are available 'free of charge' too and are provided by safe governmental agencies.