One healthcare vendor is arguably having a very rough year.
Eye Care Leaders is embroiled in a provider-led lawsuit, accusing ECL of concealing multiple ransomware attacks, and recent breach notices showed another ransomware attack was deployed against the electronic medical record (EMR) vendor in December.
A single security incident can cause reputational damage and a host of monetary losses. But for healthcare business associates and their impacted clients, the issues can be far more complicated. With the ECL situation, the issues brought to light in the last few months have dramatically amplified the fallout.
Under the Health Insurance Portability and Accountability Act, covered entities that contract with vendors interacting with patient data must enter into a business associate agreement. The BAA details specific requirements the vendor must adhere to, in compliance with HIPAA, and is typically tailored to meet the needs of the relationship.
It raises the question: What can providers do when contracted with a problematic vendor?
To be clear, ECL is not the first healthcare entity to experience multiple attacks, nor should providers immediately seek to exit business associate relationships over a security incident.
But the volume of incidents reported — and unreported — by ECL seem to be more than normal and in such a short period of time, explained Pam Hepp, a healthcare attorney at Buchanan Ingersoll & Rooney and co-chair of the firm’s Cybersecurity and Data Privacy Group.
The Department of Health and Human Services' Office for Civil Rights considers “egregious” situations as those that result in larger civil monetary penalties. Hepp recalled past incidents where certain providers ignored OCR’s investigation, along with disagreeing or not adhering to the guidance that stemmed from the audit.
“There are different flavors, if you will, of egregious behavior,” said Hepp. “This is one where I would say, just in terms of the sheer volume of incidents, there does seem to be more than what we normally see.”
In her experience, problematic reporting issues typically stem from miscommunication, such as speaking too soon before enough forensic evidence has been gathered.
However, any comment directly on ECL’s ongoing situation would be conjecture.
SC Media spoke to a number of HIPAA thought leaders about the legal issues and possible HIPAA mechanisms that could support covered entities facing similar contractual issues. In short, legal remedies are often a last resort when other means fail.
Eye Care Leaders did not respond to a request for comment, and an HHS OCR spokesperson told SC Media the agency can’t comment on open or potential investigations.
ECL's year of security turmoil
In mid-April, a lawsuit filed in the U.S. Court for the Middle District of North Carolina by three healthcare-covered entities made a long list of shocking allegations. In the suit, Alliance Ophthalmology, Dallas Retina Center, and Texas Eye and Cataract paint a concerning state of security.
Purportedly, “ECL suffered an outage [in March 2021] as a result of a ransomware attack, a fact it concealed from its clients for weeks” and failed to keep the providers apprised of potential damages or even its restoration efforts.
Instead, ECL allegedly misrepresented the incident to its clients, “continually promising service would be restored when it was not to encourage physicians not to move to new service providers,” while continuing to invoice the providers for services that were never provided.
“Many of those services remain unavailable months after the outage first occurred,” according to the lawsuit. Not only that, the clients say they also experienced multiple periods of service outages that “were met with further misrepresentations by ECL.” As a result, providers were unable to bill patients, as they had no access to patient data to do so.
The initial ransomware attack allegedly caused multiple periods of downtime that lasted from four to seven days. SC Media previously examined the impacts of the alleged incidents at length. The lawsuit also details the remaining allegations, which include:
- Additional outages occurred throughout the month of April and another three-day outage period in June
- Lost patient data that was never returned to clients
- Billing clients for full services, as if the outages did not occur
- “Continually refusing” to provide clients with their data so they can transition to a new vendor
- Violating multiple contract clauses promising limited downtime or outages
- HIPAA violations, including breach reporting and timely incident notification
- Inadequate security
The lawsuit also claims that ECL’s myCare integrity platform experienced a ransomware attack in August 2021, separate from the March incident, again characterizing the issue as a “performance or system” problem, before informing clients nearly one month later that the weeks-long outages were caused by ransomware. Allegedly, the attack was launched by a former employee.
“In short, for months on end, licensees’ practices were crippled due to ECL’s failures to maintain security of its patient information and access and functionality of myCare Integrity,” according to the suit. Providers were unable to “access any patient information for more than a month” and were forced back to paper processes and manual entry for patient visits.
The providers lost patients due to the incident. But moreover, after more than six months, these providers claim the “full functionality of myCare Integrity has not been restored.” The providers who attempted to transition from the ECL platform to another EMR claim that ECL couldn’t export patient data.
The lawsuit also alleges that its revenue cycle management services, which it contracted out to another vendor, were also frequently problematic. Long before the ransomware attack, surgeries were billed to the wrong provider and patients were sent bills under the wrong client name in some instances. The issues, and a host of others, continued for more than a year.
It should be noted that none of these parties and related incidents are listed on HHS's breach reporting tool.
Any one of the issues described above would be cause for alarm. But over the last month, multiple provider organizations have sent breach notices to well over 300,000 patients about a December ransomware attack against its third-party vendor: ECL. So far, the tally includes Regional Eye Associates, EvergreenHealth, and Summit Eye Associates, among several others.
What’s more, the notices show ECL did not notify the provider organizations until nearly a month after the HIPAA-required 60 day timeframe, and none of which mention the alleged cybersecurity incidents outlined in the lawsuit.
During the December attack, the threat actor accessed the EMR platform and the data it contained, before they “deleted databases and system configuration files.”
Finally, following the lawsuit, SC Media became aware that Greg Lindberg, ECL’s founder and named director was “convicted of conspiracy to commit honest services wire fraud and bribery concerning programs receiving federal funds” last year and was sentenced to 87 months in prison.
HIPAA’s requirements for healthcare vendors
When working with a business associate, to manage protected health information of patients, covered entities must enter into a business associate agreement, which contains very specific provisions, such as the required safeguards for the business associate and incident reporting, said Andrew Mahler, vice president of privacy and compliance for CynergisTek.
The privacy rule also says “if the covered entity becomes aware of a pattern or practice of the business associate that violates the agreement in place, the covered entity can also be held liable,” he explained.
The rule imparts the importance of having effective vendor management in place to understand, not just what companies fall under the business associate requirement, but that the entity has the proper agreements in place. When properly managed, the entity will also perform routine checkups with the vendors.
From a risk perspective, if an entity discovers the vendor or business associate is in violation of the agreement as part of its vendor management process or alerted in another way, the covered entity does have some options, Mahler said.
Contractually, there are two ways for a provider to break a relationship with a problematic vendor: either severing ties or allowing them the opportunity to correct it.
The vendor’s data “is essentially [the provider’s] data, which they're allowing the vendor to manage,” he explained. In theory, a provider organization “could break the contract, depending on the contractual language, and say, ‘You know, this is a clear violation of the agreement, and we're not able to do business anymore.’”
“Many contracts also have language that allows either party the opportunity to correct or cure the issue,” he added. As such, if a business associate alerts the entity to an issue under investigation, such as an ongoing issue, there may be some flexibility for the entity to “give the vendor some time to fix it without breaking the contract.”
There are also legal options if cures aren’t found in the contract. In those cases, the covered entity may seek legal remedies to hold the vendor accountable in some way, if “for whatever reason, they're not able to terminate the relationship or if there’s been another type of gross violation.”
Can HHS OCR help with enforcement against business associates?
Under HIPAA, providers are required to have an effective compliance program based on federal guidelines, which must include reporting, communication and notifying for security incidents. OCR is able to fine or impose civil monetary penalties, as well as a corrective action plan.
However, the agency is not known for putting healthcare entities out of business. The Department of Justice has frequently targeted healthcare as part of its fraud abuse unit, but those instances are clearly tied to obvious crime and not contractual or compliance issues.
In reality, there aren’t many prescriptive regulations as each healthcare entity is unique in its business practices and even the flow of data. As such, HIPAA and OCR relies on the organization to do its due diligence with business associates. That means, covered entities should be taking their own remedial measures to ensure their vendors.
But a look at past OCR enforcement actions against business associates shows it’s clear they can be held directly liable from an enforcement perspective under HIPAA. As such, Hepp stressed that transparency is critical in these situations once the facts are determined.
The types of activities that garner enforcement action by OCR include “failure to initially conduct the appropriate risk assessments, [lack of] reasonable and appropriate security measures, failure to take remedial measures, and failure to provide timely notice to the covered entities,” said Hepp.
In terms of multiple security incidents, OCR may actually view them as separate incidents, particularly due to the allegations that one of the three attacks was caused by a malicious insider.
The analysis would focus on the exploited vulnerability, whether it was known, and if so, was it fixed, as well as whether there were patterns behind each incident that could have been caused by overlooked security measures. OCR may also look at the time to respond, prior to conversations with the impacted entity about the issues or compliance plans.
From an outside perspective, it certainly appears that ECL may be struggling with some of those elements.
However, covered entities are also responsible for properly vetting their vendors. And OCR has indeed held provider organizations directly liable for a breach by their business associates, although Hepp said it’s rare and usually enforcement stems from not having a business associate agreement in place, or “they have not appropriately vetted that vendor.” If a provider becomes aware that a vendor is having issues, they should certainly look at reevaluating that relationship.
“In the past, regulators have taken a stronger stance, in terms of the need for covered entities to be vetting their vendors,” said Hepp. Business associates agreements are contractual obligations under HIPAA, which means a covered entity must perform due diligence in the form of “deeper dives security assessments of their vendors, as appropriate.”
The overlooked HIPAA element: Without undue delay
There are a number of covered entities and their vendors that haven’t been reporting breaches in a timely way, explained Mahler. Some of them have been investigated, and have been penalized for that.
Organizations may struggle with timeliness when they’re attempting to figure out the day of discovery and “when the clock starts ticking.” But what’s really important to note about HIPAA is that it doesn't just require notification to the individuals or to the covered entity, within 60 days of a breach: “it specifically says, ‘without unreasonable delay,’” Mahler stressed.
“I think people skip over that,” Mahler continued. “They just go right to 60 days, and it's something really important for organizations to consider, because it's conceivable that a regulator could find that even though they've maybe made notification within 60 days, it was an unreasonable delay.”
Entities must be cognizant that they’re “working under a couple of different clocks" — the undue delay clock, the unreasonable delay clock, and the “hard” clock at 60 days.
Why would a provider stay with a problematic vendor?
The recently disclosed breach notices revealed another interesting development: just one of the covered entities severed ties with ECL after the incident. Although the details into these specific entities and ECL are unknown, given the HIPAA requirements, it seems as if the number should be higher.
To Mahler, it reinforces the importance of including vendor management as part of an ongoing risk analysis.
“These issues can really put providers stuck between a rock and a hard place,” said Mahler. From an outsider perspective, “it's easy to say, ‘this issue is egregious, how could they continue to do business with them?’ But the reality may be that this is the only vendor that does this type of work, or it may be one of only a couple different vendors.”
“You can't treat patients without those vendors, and those are going to be vendors that you need to pay close attention to,” he added. “Because if something bad happens, you may not have a lot of other places to go to be able to treat your patients or provide the care they need.”
Hepp agreed that niche vendors can limit the ability of providers to transition or take remedial action. But systemic compliance issues must spur providers to revisit or revise the relationship, to verify the vendor is beefing up their measures after a series of events.
In addition, the sheer cost of attempting to shift EMRs may also force providers to continue a relationship with a vendor. Typically, smaller providers partner with cloud EMRs as they may not have the resources to build something in-house.
In healthcare, a provider can do all of the right things as required by HIPAA and other laws, and bad things will still happen. It’s cavalier to say it’s the cost of doing business, but incidents will happen. For Hepp, the serious reconsideration of a vendor relationship should come after “repeated patterns” because “there is a duty to remediate ass a covered entity.”
At the end of the day, providers must focus on training and educating staff and employees, “really putting an emphasis on compliance and ethics,” said Mahler. “That's when you start to have good cultures of compliance and ethics.”