Providence Health Plan, a dental program in Oregon, may have experienced a PHI breach that risked the protected health information (PHI) of 122,000 patients. The breach was a result of a security breach of Dominion National, Providence’s program administrator. The timing of the breach is undetermined but may have begun nine years ago, likely April of 2010. Investigations by the FBI and other data security experts are still underway, but it’s possible that the breach may have extended to other insurance plans that use Dominion as an administrator, with a possible impact of 2.9 million patients.
Dominion first suspected the possible breach in April 2019, however, did not start notifying customers until four months after discovery. It is unclear why the incident took so long to detect and why Dominion waited four months to report the incident upon discovery. Information that may have been accessed includes patient names, birthdates, addresses, Social Security numbers, and insurance information.
Affected patients are being notified and have been offered two years of free fraud protection and credit monitoring services.
Why PHI Breaches in Healthcare are Increasing
FireEye researchers analyzed recent healthcare breaches to determine why healthcare organizations are targeted by hackers. The report pointed to two types of attacks on healthcare organizations, breaches for data theft and breaches to destroy data. Most healthcare breaches are executed to access patient information. PHI breaches have more value to hackers than financial information, as the wealth of information collected by healthcare institutions is vast. Additionally, hackers find healthcare organizations to be easy targets, so much so that healthcare is the third-highest industry for retargeted hacks following an incident.
Hackers can use the information they find in a patient’s file to commit identity theft, financial fraud, or to create phishing emails, enabling them to target other entities. In addition, hackers with a connection to China often access research information, allowing China to use the research information to develop prescription medication faster and at a lower cost.
Protecting Against PHI Breaches
Healthcare organizations, and the vendors that service them, must be vigilant in their efforts to secure protected health information. The Health Insurance Portability and Accountability Act (HIPAA) requires organizations working with PHI to have adequate administrative, physical, and technical safeguards in place to protect PHI. However, HIPAA law does not specifically state what needs to be in place to adequately safeguard the sensitive information.
It is recommended that healthcare organizations implement robust cybersecurity practices including encryption, multi-factor authentication (MFA), and clear policies and procedures around the handling of PHI. Without widespread implementation of cybersecurity policies across the healthcare sector, it will continue to be the most targeted for hacking incidents.
Need Help with HIPAA?
Let our complete HIPAA solution handle it.