August Healthcare breaches

August was another month that saw several large healthcare breaches. There were a total of 44 August healthcare breaches reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), affecting 710,279 patients. Most of the August healthcare breaches were classified as Hacking/IT Incidents, accounting for 64% of reported breaches. 

The following were the most impactful August healthcare breaches:

Hacking/IT Incidents

  • Presbyterian Healthcare Services affecting 183,370 
  • Wisconsin Diagnostic Laboratories affecting 114,985 
  • Grays Harbor Community Hospital affecting 88,399 
  • Mount Sinai Hospital affecting 33,730
  • Integrated Regional Laboratories, LLC affecting 29,644
  • Timothee T. Wilkin, D.O. affecting 15,113
  • University of Missouri Health Care affecting 14,402

Unauthorized Access/Disclosure

  • Conway Regional Health System affecting 37,000
  • NorthStar Anesthesia, P.A. affecting 19,807

Lost Device

The most common cause of healthcare data breaches used to be from lost or stolen devices, however, hacking incidents have far surpassed any other cause for healthcare breaches. As such covered entities (CEs) and business associates (BAs) must be vigilant in their efforts to safeguard protected health information (PHI). 

How to Prevent Healthcare Breaches 

The Health Insurance Portability and Accountability Act (HIPAA) requires anyone working with PHI to be implement administrative, technical, and physical safeguards to secure PHI. 

  • Administrative: there must be written policies and procedures surrounding the handling of PHI. All employees must be trained annually on HIPAA regulations and an organization’s policies and procedures. Employees should also receive cybersecurity training to teach them how to recognize phishing emails and other data breaches. Healthcare breaches are mitigated when employees can identify them quickly and know who to report the incident to. 
  • Technical: cybersecurity measures should be in place to secure PHI. Firewalls and data backup should be in place. Firewalls prevent unauthorized access to data, while data backup ensures that data can be restored in the event of a healthcare breach or natural disaster. In addition, while not explicitly mandated, it is recommended that CEs and BAs implement data encryption to further secure PHI. 
  • Physical: the site in which an organization operates from, or where PHI is stored, must be secured from unauthorized access. Implementing locks and alarm systems for areas containing PHI is best practices for data security. 

With rising healthcare breaches, it is imperative that organizations handling PHI have the proper measures in place to prevent healthcare breaches. Experiencing a breach can be costly, with the average HIPAA fine at $1.5 million and additional costs associated with a breach, such as reporting to affected patients and reputational damage, organizations working in healthcare should make cybersecurity a top priority.  

 

Prevent HIPAA Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!