Equifax breach exposes healthcare vendor vulnerabilities

The Equifax data security breach that exposed the financial information of 143 million Americans to hackers is hitting close to home in healthcare.

Equifax is the financial verification vendor to HHS for millions of enrollees on the marketplace exchanges created under the Affordable Care Act.

As such, the company assists the government in determining who is eligible for subsidies and for extracting other financial information.

The CMS is monitoring the situation, but has been informed by Equifax that exchange data was not part of the breach, an HHS spokeswoman said Tuesday.

But regardless of how the investigation of the breach and its aftermath play out, it is a cautionary note of how vendors can leave hospitals and payers vulnerable to cybersecurity attacks, said Michael Ebert, KPMG partner who is a leader in the firm's healthcare and life sciences cybersecurity practice.

"That happens a whole lot," Ebert said of healthcare data breaches happening because of vendor vulnerabilities.

Anthem in late July said it had been hit by another data breach that could affect more than 18,000 people after a third-party vendor's employee emailed member records to himself.

Equifax did not respond to a request for comment.

A recent KPMG study found that 47% of payers and providers surveyed had instances of security related HIPAA violations or cyber attacks that resulted in data loss or system compromise in the past 24 months.

The survey also showed that more than 40% of healthcare companies would pay the ransom to unlock their IT systems after being hacked by ransomware.

Data sharing with third parties is seen as one of the biggest vulnerabilities among healthcare providers and insurers with 63% of respondents mentioning it as a key vulnerability, even more than those concerned about Internet-enabled devices leading to a breach, the survey showed.

KPMG surveyed 100 C-Suite security executives at healthcare companies and another 100 at life sciences companies.

Ebert said hackers have become so sophisticated that an employee or vendor clicking on the wrong email can expose healthcare companies to data breaches.

When even a financial data company the size of Equifax can be pierced to reveal detailed personal financial information on almost half the U.S. population, it signals how companies must redouble their efforts to protect their data, Ebert said.

"I was surprised," Ebert said when he learned of the Equifax breach.

Equifax did not respond to a request for comment.