A data breach has affected nearly 20,000 patients of behavioral health engagement company Aptihealth.
Aptihealth, a behavioral health engagement company, has reported a data breach involving 19,805 patients' protected health information. The breach occurred between March 13, 2024, and April 10, 2024, at Sisense, a business associate providing data analytics services. Aptihealth was notified on April 17, 2024, of the breach. Sisense has confirmed that its systems have been secured and the server is no longer accessible. Aptihealth has established a call center for patients requiring further information.
See also: HIPAA Compliant Email: The Definitive Guide
A business associate is an individual or entity that performs functions or activities on behalf of a covered entity, such as a healthcare provider, involving the use or disclosure of protected health information (PHI). Under the Health Insurance Portability and Accountability Act (HIPAA), business associates are required to ensure the confidentiality, integrity, and security of PHI. They must implement appropriate safeguards, report breaches, and comply with the terms outlined in their business associate agreements (BAA), which detail their obligations to protect patient information from unauthorized access or disclosure.
As a business associate, Sisense is responsible for protecting the PHI it handles on behalf of the covered entity, Aptihealth. Although it is unknown how the hackers gained access to Sisense’s systems, the breach indicates that the security measures Sisense has in place may require updating or fortification.
Related: Your cybersecurity strategy is probably lacking
Business associates have similar responsibilities as covered entities in protecting PHI under HIPAA. Both must ensure the confidentiality, integrity, and security of PHI. Business associates are required to implement appropriate safeguards, comply with the terms of business associate agreements, and report any breaches of PHI. While covered entities are directly responsible for PHI, business associates must also adhere to HIPAA regulations to protect patient information from unauthorized access or disclosure.
Under HIPAA, the covered entity is primarily responsible for notifying affected individuals once a breach of PHI has occurred. If the breach involves a business associate, the business associate must promptly notify the covered entity, providing information about the breach so that the covered entity can fulfill its obligation to notify affected individuals, the Department of Health and Human Services (HHS), and, if necessary, the media. The business associate must provide this notification without unreasonable delay and no later than 60 days after discovering the breach.
Go deeper: What are the HIPAA breach notification requirements