A state insurance plan subcontractor is at the center of a serious security incident after hackers gained three months of unfettered access to its computer system, compromising thousands of members' health records. What's more, despite discovering the HIPAA breach in April, it took officials some four months to notify those affected.

 

The Dallas-based Onsite Health Diagnostics – a medical testing and screening company, which contracts with the state of Tennessee's wellness plan – notified 60,582 people that their protected health information was accessed and stored by an "unknown source." The breach affected members from the Tennessee's State Insurance Plan, Local Government Insurance Plan and Local Education Insurance plan. 

 

[See also: Vendor sacked for HIPAA breach blunder.]

 

The system accessed, as OHD officials pointed out in an August notification letter, was not in official use since fall 2013. Health benefit member names, dates of birth, addresses, emails, phone numbers and gender were compromised in the incident. 

 

When pressed for details regarding the security incident, state officials did not respond in time for publication. 

 

"We are sorry for any inconvenience or concern that his may have caused you," wrote Kyle Alexander, chief executive officer of Onsite Health Diagnostics, in a member notification letter. "OHD has received no reports of identity theft related to this incident. We take the security of your personal information very seriously."

 

[See also: HIPAA security gaffe puts PHI on Google.]

 

Under the new HIPAA final rule, which took effect last fall for covered entities, business associates and subcontractors, now along with covered entities, must comply with HIPAA privacy, security and breach notification rules. 

 

At HIMSS14 this February, then deputy director for health information privacy at OCR Susan McAndrew said about 25 to 27 percent of the HIPAA privacy and security breaches reported to OCR involved a business associates, often going as high as 64 percent.  

 

To date, more than 41 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches, according to data from the HHS Office for Civil Rights.