A large agency we work with was the victim of a White Hat Hacker (WHH). The hacker didn’t sell the client data on the black market, he didn’t abuse the data at all. He hacks into vulnerable systems to alert companies to their security weaknesses so they can fix them before the bad guys (black hats) detect and exploit the weakness. Both types of hackers use the same techniques. The WHH can be an ethical superhero, but many of them do it for a payout and some just do it for ego.
This WWH found a way into a cloud server that did not store ANY MEDICARE data. Nevertheless, the carrier terminated the agency’s Medicare contract–for life–because of a failure to report the breach of ACA data. The HITECH Act of 2009 requires breaches where more than 500 individuals are impacted, to have more rigorous disclosure requirements. The hacker got access to 3,000 files, and even though he didn’t do anything illegal with the information, the agency should have notified every carrier as soon as they were aware of the breach.
Here is the unique situation they were in: the WHH never contacted the agency. They contacted one of the insurance companies whose policies were stored on the server. 
The insurance company notified the agency owner, who immediately closed the “hole” where the hacker got in. This agency had no idea what data was accessed and the hacker would never return his calls or emails. (So much for wearing a white hat).
The agency owner should have erred on the side of notifying every carrier that he had ever contracted with. Since he did not, and the hacker eventually notified several other carriers, before the agency owner self-reported the breach, his contract was terminated and he has a Do Not Recontract on his record for life. Quite a harsh punishment when no client’s were harmed! The carrier stated, “We are partners with the Federal Government and we must take every breach very seriously.”
Had the agency, self-reported immediately, there would likely have been a different outcome. Since all agencies, no matter the size, are at risk of a white or more likely, a black hat hack, remember that you first move after you have your IT people close down your system to further attack, should be to the carriers to notify them of the breach!
The best way to protect your agency is to hire an IT company to give you a state-of-the-art IT security system and to do regular stress-testing on your system. Have company protocols in place in case of a breach and update everything annually.
Read more about breach notification rules here. See how many breaches happened in 2017 and in what sector of industry here.
