Third-Party Vendor Risk in Healthcare

Posted by Mark Greisiger

A Q&A with Ozzie Fonseca of Experian
Last year’s data breach at Medical Management, LLC highlights the importance of third-party vendor oversight in the healthcare space. In this specific case, a call center agent at a billing company was copying information and sharing it with an unauthorized third party, leading to the exposure of thousands of patients records from 40 providers. We spoke to Ozzie Fonseca of Experian Data Breach Resolution about its implications for healthcare organizations.

Why is this case significant and what does it mean for healthcare organizations?

When you work with third parties and share PHI and PII you’re giving up control and taking on some risk.

It’s a great reminder that businesses and healthcare organizations need to safeguard data beyond internal controls. When you work with third parties and share PHI and PII you’re giving up control and taking on some risk. This case shows us that people who have access to sensitive data may have financial incentives to expose it, even if well designed protocols are in place.

What can organizations do to mitigate this type of risk?
The first thing that comes to mind is that healthcare organizations should have a comprehensive list of third-party vendors with visibility into all of the third parties currently managing or processing potentially sensitive data. Business agreements should have controls in place to monitor these activities. As with any type of contract, what’s agreed upon verbally is irrelevant if it’s not in writing. If you’re giving a vendor access to PHI, there needs to be assurances that the PHI will be properly stored, handled and destroyed once it’s not needed anymore. And bad behavior needs to be punished with liability provisions written into the contract. Written policy ensures that the third-party organization is held to some standard.

Organizations should also do some due diligence when choosing third-party vendors. The vendor should perform background checks on hires to make sure there are no “planted” employees who have been paid to assist with data theft schemes. In the case of a call center such as this one, calls should be recorded and/or monitored as they happen. Cell phones should be left at the door. The call center should be paperless to ensure no one can capture data and leave with it. The organization also needs to have a way to remotely monitor third-party activities, such as regular visits to the site by auditors as well as the ability to send people there unannounced. You should have a clear idea of where sensitive info is being stored and make sure that third-party employees are only accessing what they absolutely need to do their job.

Finally, purging old data is critical. Most breaches I work on, especially in healthcare, have to do with old records that are lying around for no other reason than people thought it might be useful to have them.

What’s the worst case scenario for an organization in a third-party breach such as this one?
As with any breach, there’s reputational damage for the organization. Both clients and employees will lose confidence in the organization’s security policy if they feel it hasn’t been valued. For the patients involved, there’s the risk of medical fraud: false insurance claims, false prescriptions and stolen medical care. On the financial side, there’s the potential that thieves could file false IRS returns or take over their accounts. Breaches are not silos these days—people are creating large repositories of data so that all of these events could happen once the information is out there.

Can you speak to the timeline and the delayed discovery of Medical Management breach?
It’s actually fairly typical to have delays. The latest statistic we’ve seen from the cybersecurity firm FireEye is that on average it takes an organization 229 days to detect a breach.

How can credit monitoring help in a case like this?
In the context of healthcare breaches, credit monitoring often gets a bad rap because people think it’s not going to detect medical fraud. The reality is that it’s incredibly helpful in any breach. If you lose your name, SSN, date of birth or any other information, you want to know when it’s being misused—that includes the creation of new accounts, new employers, new addresses, medical collections, etc. Credit monitoring can detect all of this and it can give us visibility into the symptoms of medical and identity theft. The number of healthcare breaches is only increasing and there are hundreds of millions of records that could potentially fall into the wrong hands. We have to use every tool we’ve got to address this issue.

In Summary…
We want to thank Ozzie Fonseca, a guru in the fraud prevention/credit monitoring space, for his insights. Of special interest was his comment pertaining to old customer files with PII. When not properly retired or disposed of, these files can result in a data loss breach. He also highlights the difficulty organizations have in detecting a breach, with an average of 229 days—we can blame weak or nonexistent incident detection systems for this lag. That anemic practice alone will catch the attention of both class action plaintiff lawyers and State Attorneys General.


NetDiligence® is a cyber risk assessment and data breach services company. Since 2001, NetDiligence has conducted thousands of enterprise-level cyber risk assessments for organizations. NetDiligence services are used by leading cyber liability insurers in the U.S. and U.K. to support loss-control and education objectives. NetDiligence hosts a semiannual Cyber Liability Conference attended by risk managers, privacy attorneys and cyber liability insurance leaders from around the world. NetDiligence is also an acknowledged leader in data and privacy breach prevention and recovery. Its eRiskHub® portal ( is licensed by cyber liability insurers to provide education and breach recovery services to their policyholders.