Bloomberg Creative/Getty Images

Concerns about a potential data breach at a major healthcare staffing agency last week may have been overblown, but legal experts insist the threat to healthcare providers relying more than ever on vendors for temporary help is very real.

Staffing company Gale Healthcare Solutions, which serves long-term care providers and other facility types, told McKnight’s that reports of a database breach compromising more than 170,000 records with personal and confidential information had some ”issues” and that a system vulnerability had been addressed months ago.

Still, the report by hacking experts at Website Planet on the storage of worker information, including possible Social Security numbers in file names, served as a warning to long-term care and other providers not to take vendors’ digital standards for granted.

“If a vendor suffers a data breach that potentially compromises employees’ information, an employer could potentially face a class action negligence suit from its employees, who may seek damages stemming from any identity theft or financial fraud that they allegedly suffer as a result of such a data breach,” said attorney Diane Reynolds, partner at McElroy Deutsch. “A data breach with the potential to disclose employees’ protected characteristics and activities such as sexual orientation, disabilities or religion could also potentially result in claims under federal and state civil rights laws.”

While employee and prospective employee information doesn’t have to be protected in the same manner as patients’ personally identifiable information, other standards still apply. Some courts, Reynolds noted, have imposed a common law duty on employers in all sectors to use “reasonable” security measures to secure employees’ personal information.

That duty could extend to temporary employees hired through staffing agencies. Even as providers are desperate for new labor sources, they must continue their due diligence on ensuring secure technology, warned McElroy Deutsch Associate Bradford P. Meisel. 

“Healthcare providers should ensure that they have HIPAA business associate agreements with all vendors as well as boilerplate provisions in all of their vendor agreements requiring vendors to use commercially reasonable security measures,” he said in an email to McKnight’s. “Vendor agreements should also require the vendor to indemnify the customer for any claims stemming from a data breach suffered by the vendor or the vendor’s failure to comply with privacy laws.”

More vendor implications

Prime Care Technologies, an IT firm that offers cybersecurity services to long-term care clients, reported earlier this year that some two-thirds of breaches are now vendor-related. 

Staffing vendors also have an ethical obligation to protect the information of the nurses and other temporary workers they’re placing in nursing homes, said David Coppins, CEO and co-founder of IntelyCare.

“The first indicator of the value a vendor places on information integrity lies in their credentialing process,” Coppins told McKnight’s. “If a vendor is letting a provider work without supplying all of the credentials required by state and federal guidelines, it’s an immediate red flag in terms of their priorities around compliance as a whole.” 

The firm operates in 25 states and makes 90% of its placements in skilled nursing settings. Last week, it premiered a new system allowing nurses to securely maintain and access their required documentation in a single location. That credentialing is overseen by experts trained in document forensics who specialize in fraud prevention, state regulations and compliance.

“Furthermore, we’ve invested millions into keeping all of this data secure, so, our nurses and facility partners are safeguarded on all fronts,” Coppins said.

While many are moving toward outsourcing cybersecurity protections and considering cyber insurance policies, it pays to remain vigilant in-house, Meisel added.

Cyber insurance, he said, should be viewed as a compliment to prudent cybersecurity practices. Cyber insurance does not cover the economic impact of reputational harm caused by a data breach, and some insurers are now disallowing coverage of international attacks as an act of war.

“It is important that long term care facilities both maintain robust cyber insurance coverage and work with an interdisciplinary team of technical and legal experts to ensure that their systems containing personal information of both employees and patients are sufficiently secure to counteract emerging threats,” Meisel said.