Med Associates breach compromises 270,000 records

The spate of healthcare data breaches continues, with New York-based claims service provider Med Associates the latest healthcare organization to disclose a security incident. Up to 270,000 customers are affected, with patient names, addresses, dates of birth, and insurance information exposed.

Med Associates said in a statement that it had noticed “unusual activity” at an employee’s workstation on March 22, 2018. It investigated the incident, and found that an “unauthorized party accessed the workstation, and through that, may have had access to certain personal and protected information.”

Potentially affected individuals have been contacted by post and told to look out for signs of identity theft or financial fraud.

A significant breach

This breach was far bigger than recent incidents affecting San Francisco-based Dignity Health and Canton-based Aultman Health Foundation. Those incidents exposed the information of a combined 100,000 people, which – although concerning – doesn’t stand out compared to other breaches.

By contrast, the Med Associates breach is the fourth-largest in New York since the introduction of the HIPAA (Health Insurance Portability and Accountability Act) in 2010, which requires organizations to disclose data breaches.

The strict disclosure requirements are necessary because the health sector is especially prone to data breaches – particularly those caused by insiders. Many employees need access to sensitive information to do their job, and it’s all too easy to misappropriate information or breach it accidentally.

Mitigate breaches with ISO 27001

It’s impossible to eradicate the threat of data breaches, but there are certain best practices that organizations can follow to keep their information as secure as possible. Those practices are laid out in ISO 27001, the international standard for maintaining an ISMS (information security management system).

An ISMS is a system of processes, documents, technology, and people that help organizations manage, monitor, audit, and improve their information security. All healthcare organizations should have an ISO 27001-compliant ISMS in place and regularly assess its effectiveness. This requires the skills of a lead auditor – someone who will come into an organization to check that its framework adheres to the Standard’s requirements. It’s an essential role in helping businesses stay on top of their information security obligations and upholding the reputation of ISO 27001.

You can learn everything you need to know to fill this role by enrolling on our ISO27001 Certified ISMS Lead Auditor Online Masterclass.

This four-and-a-half-day course helps you:

  • Understand best-practice audit methodology
  • Prepare, lead, and report on the findings of an information security audit
  • Develop interview techniques
  • Follow audit trails and review documented evidence
  • Learn how to audit risk assessments and business continuity plans
  • Identify nonconformities and ensure appropriate corrective action is taken
  • Practice new skills and develop knowledge by reviewing case studies and participating in role-play exercises and workshops


Leaders in ISO 27001