Langdon & Company LLP, a Certified Public Accounting firm and business associate based in North Carolina, recently disclosed a hacking incident involving unauthorized access to files containing sensitive information of 46,061 patients.
What happened
On April 28, 2024, Langdon & Co. detected unusual activity on its network server at their Garner, North Carolina location, confirming unauthorized access between April 21 and April 28, 2024. Langdon completed a thorough investigation by June 3, 2025, and notified impacted individuals.
The exposed data may include names, Social Security numbers, medical information, tax IDs, financial account numbers, and digital signatures. Langdon’s systems were secured, and they are providing affected people with free credit monitoring and identity theft protection.
What was said
“In general, individuals should remain vigilant against incidents of identity theft and fraud by reviewing account statements, explanation of benefits statements, and monitoring free credit reports for suspicious activity and to detect errors. Suspicious activity should be promptly reported to relevant parties, including an insurance company, health care provider, and/or financial institution,” the Langdon & Co. LLP, CPAs Data Security Incident official breach notice states.
In the know
As a business associate under HIPAA, Langdon is responsible for safeguarding the protected health information (PHI) it handles on behalf of Easterseals. Therefore, federal law requires that they must have the appropriate administrative, physical, and technical controls in existence to preserve the confidentiality, integrity, and availability of such confidential information.
These include conducting regular risk analysis, training employees in privacy and security procedures, and establishing procedures to detect and respond to security breaches in a timely fashion. Failure to comply with these requirements can lead to huge fines as well as increased vulnerability to cyberattacks.
Business associates also have contractual obligations to covered entities like Easterseals to maintain stringent data security measures and support breach notification procedures.
The bottom line
Since third-party vendors like accounting firms handle PHI, they become targets for cyberattacks. Breaches in such settings put patient privacy and organizational compliance at risk, compromising management and cybersecurity protocols.
FAQs
Who does HIPAA apply to?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
What is a business associate agreement?
A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
%20-%202024-10-15T195322.633.jpg)