April 2022 Healthcare Breach Report

A shower of breaches stormed through patients’ protected health information (PHI). In April 2022, there were 44 large-scale breaches reported involving 1,612,672 patients’ data. Most April 2022 healthcare breaches affected healthcare providers, with 29 incidents. These 29 incidents compromised the PHI of 1,496,278 individuals, representing nearly 93% of patients affected by the April incidents. 

Business associates reported 10 additional incidents. Business associate incidents affected 23,324 patients, representing just over one percent of patients affected. 

Five health plans also reported incidents affecting 93,061 patients and representing 5.8% of affected patients. In April, 40 incidents resulted from hacking incidents and unauthorized access or disclosure of PHI. There were two incidents involving theft, one resulting from loss, and one resulting from the improper disposal of PHI.

April 2022 Healthcare Breaches and Hacking

Hacking continued its streak at the top of the list of causes of healthcare breaches in April 2022. There were 29 hacking incidents reported in April that affected more than one and a half million patients. These 29 incidents represented 96% of the breached records reported during the month.

Entities affected by hacking:

• 23 healthcare providers, 1,449,512 patients, 93.5% of patients affected by hacking
• 4 business associates, 10,526 patients, 0.7% of patients affected by hacking
• 2 health plans, 90,830 patients, 5.8% of patients affected by hacking

Types of hacking incidents:

• 12 network server hacks,1,144,699 patients, 73.8% of patients affected by hacking
• 13 email hacks, 297,136 patients, 19.2% of patients affected by hacking
• 2 other, 55,004 patients, 3.6% of patients affected by hacking
• 1 electronic medical record and other, 297,136 patients, 1.9% of patients affected by hacking
• 1 network server and other, 24,029 patients, 1.5% of patients affected by hacking

How to Prevent Hacking Incidents

As hacking incidents have become the leading cause behind healthcare breaches for several years, minimizing your risk of being targeted is crucial.

Security Risk Assessments and Remediation

Security risk assessments (SRAs) are vital for security and compliance. The purpose of an SRA is to identify weaknesses and vulnerabilities in your security practices to prepare yourself against potential threats. Once SRAs have been conducted, it is essential to create remediation plans to address any identified deficiencies.

Employee Cybersecurity Training

A significant portion of hacking incidents results from phishing emails. This is why employee cybersecurity training is essential to your organization’s overall security posture. Employees should be trained on recognizing phishing attempts and what to do if they suspect an incident has occurred.

April 2022 Healthcare Breaches and Unauthorized Access or Disclosure

Incidents of unauthorized access or disclosures of PHI can occur in two ways – an authorized employee accesses PHI inappropriately, or an unauthorized party gains access to PHI. In April 2022, 11 incidents of unauthorized access or disclosure of PHI were reported. These incidents affected 20,391 patients, representing 1.3% of the breached records reported in April.

Entities affected by unauthorized access or disclosure:

• 5 business associates, 11,901 patients, 58.4% of patients affected by unauthorized access or disclosure
• 3 healthcare providers, 6,259 patients, 30.7% of patients affected by unauthorized access or disclosure
• 3 health plans, 2,231 patients, 10.9% of patients affected by unauthorized access or disclosure

Types of unauthorized access or disclosure:

• 5 paper/films incidents,12,105 patients, 59.4% of patients affected by unauthorized access or disclosure
• 2 network server incidents, 1,411 patients, 6.9% of patients affected by unauthorized access or disclosure
• 2 EMR incidents, 4,511 patients, 22.1% of patients affected by unauthorized access or disclosure
• 1 EMR, paper/film incident, 1,748 patients, 8.6% of patients affected by unauthorized access or disclosure
• 1 laptop incident, 616 patients, 3% of patients affected by unauthorized access or disclosure

How to Prevent Unauthorized Access or Disclosure

As we mentioned, there are two ways in which unauthorized access or disclosures occur – inappropriate employee access or unauthorized access by another entity.

Policies and Procedures and Employee Training

HIPAA policies and procedures are an essential part of HIPAA compliance as they guide employees on what is appropriate. HIPAA requires employee use and disclosure of PHI to be limited to the minimum necessary to perform their job functions. Your policies and procedures should dictate this, and employees should be trained on the policies and procedures to be aware of their obligations. 

User Authentication, Access Controls, and Audit Controls

To ensure adherence to the minimum necessary standard, you must implement user authentication, access controls, and audit controls. User authentication provides unique login credentials for each employee, while access controls enable administrators to designate different PHI access levels using those unique login credentials. Also, based on the implementation of unique login credentials, audit controls track access to data to ensure that PHI is accessed appropriately by each employee.

April 2022 Healthcare Breaches and Other Causes

In April 2022, there were three other types of breaches reported to OCR that affected a total of 41,413 individuals, representing 2.6% of the breached records reported in April.

• 2 healthcare providers reported thefts of laptops or other devices, 39,401 patients, 95.1% of patients affected by other causes
• 1 healthcare provider reported improper disposal of PHI, 1,115 patients, 2.7% of patients affected by other causes
• 1 business associate reported the loss of a portable electronic device, 897 patients, 2.2% of patients affected by other causes