Vendor Risk

MCG Health is a health information services company providing clinical guidelines to hospitals and other care facilities nationwide. They recently reported a breach that had occurred back in 2020, and already lawsuits from their clients are pouring in. Why does this matter to you?

For most care providers, the extent of their data exposure is limited to their own patient database. In the case of vendors who tap that data, the vendor's exposure encompasses all of the databases they access. If that vendor suffers a breach, it's likely every client's data is part of that breach. So what happens when a vendor like this is breached? We're finding out now.

The lawsuits filed against MCG include their hospital clients, who, as a result of the breach, have had to notify patients and implement much of their breach protocols, as if it happened to them. That's the rub. If your vendor breach includes your data, the stain and pain are on you too. But it could be even worse than that.

A breach like this gets the feds involved. Among the list of questions the feds will have for you, the Covered Entity, is if you have a copy of your Business Associate Agreement AND if you have a copy of your vendor's Risk Assessment. Why? Because in the BAA your vendor is acknowledging they are adhering to the HIPAA requirements, and that includes conducting regular Risk Assessments. If you aren't getting copies from your vendors, you better start now. If you aren't doing this, you could be exposed further OCR scrutiny, enforcement, and penalties.

Finally, because this vendor has thousands of clients, it's likely none of these lawsuits will ever collect anything. It's more probable we will see MCG file for bankruptcy protection - leaving the hospitals and their insurance carriers to foot the bills.

Our HIPAA clients can use our software to collect and track both their vendors' BAAs and their Risk Assessments. We provide the tools to make your compliance easier.