Regional employee benefits office takes a proactive approach to protect participants’ data


“I trust Essextec to come in and do what’s best for us. I have peace of mind.” – IT Manager, Regional Employee Benefits Office


A regional employee benefits office that manages benefits for thousands of unionized employees was looking to strengthen and update its IT infrastructure to stay ahead of security risks and regulatory compliance. With members’ pension funds and personal health and welfare funds at stake, no safety measure was too great.


The passage of the Health Insurance Portability Act (HIPPA) in 1996 required benefits providers, such as this benefits office, to protect the
personal information of its participants. In recent years, the Health Information Technology for Economic and Clinical Health (HITECH) Act toughened HIPPA laws around breach notification. In September of 2013, a new Omnibus Rule went into effect requiring providers to extend the same compliance standards to all of their third party business associates such as vendors.

The implications are significant for this organization. The benefits office recognized the complex risks around its participants’ data and wanted to ensure that member information was protected — and that their IT department was in full compliance.


Business Risk team conducts an assessment – just like an auditor.

Essextec’s Business Risk Services team went to work on a new assignment from this long-time client. Essextec performed a penetration test and a HIPPA gap analysis to show the client where they might be vulnerable — and what they could do about it.

Essextec also advised the office on industry best practices for risk analysis as well as on HIPPA and HITECH mandated or recommended risk analysis


Thanks to a penetration test and gap analysis performed by Essextec, the client was armed with the facts they needed to close the gaps where personal health information was most vulnerable. Today, they’re actively working with Essextec to ensure their priorities are in order and their actions are all properly documented — should there be an audit in their future.

Read the full story.