Make sure you’ve got contract clauses in place to isolate your business from this kind of 3rd party risk…:
A Utah eye clinic is in the process of informing 20,000 patients that they were the victims of a data breach that happened a year and a half ago and linked patients to a scam involving PayPal.
The breach at the Utah Valley Eye Center in Provo, Utah, that exposed patient emails once again highlights third-party risk in terms of data security. It also sheds light on the added requirements of medical providers under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) when data breaches occur.
In the incident, which occurred on June 18, 2018, hackers accessed the center’s third-party portal that reminds patients of scheduled appointments, according to a letter dated Oct. 31 the center sent to patients. This resulted in emails being sent to a number of patients informing them they had received payment from PayPal, the center said.
Utah Valley Eye Center outsources its patient-scheduling reminder service to DemandForce, a San Francisco-based provider of marketing and customer-service cloud-based solutions.
“When informed of this letter, we immediately sent an email to these recipients notifying them to disregard the erroneous email,” according to the letter.
Center administrators believe that hackers only gained accessed to patient emails in the breach, though information such as names, addresses, dates of birth and phone numbers “could have been accessed,” according to the letter.
However, what’s certain is that attackers did not gain access to any personal health or financial information, the center assured patients.