In another banner month for healthcare breaches, the OCR Breach Portal listed 54 incidents affecting 15,349,203 patients. The most affected group was health plans, reporting 6 incidents affecting 13.9 million patients. This was followed by healthcare providers who reported 34 incidents, affecting 1 million patients.Â
Business associates also reported 12 incidents, affecting 274,475 patients, and one healthcare clearinghouse reported an incident affecting 77,434 patients. We’ll examine what caused April 2024 healthcare breaches and how they could have been prevented.
9 Incidents of Unauthorized Access or Disclosure
April 2024 was the first time in a while that hacking was not the leading cause of healthcare breaches for the month. More patients were affected by incidents of unauthorized access or disclosure of protected health information (PHI). This can be mostly attributed to one incident reported by Kaiser Foundation Health Plan, Inc. that affected a whopping 13.4 million patients.
There were 9 incidents of unauthorized access or disclosure reported in April 2024. These incidents affected 13,428,243, representing 87.48% of patients affected by April incidents.
Who reported these incidents, and how many patients were affected?
- 4 healthcare providers, 21,353 patients
- 3 health plans, 13,406,340 patients
- 1 business associate, 550 patients
How to Prevent Unauthorized Access or Disclosure
As we mentioned, there are two ways in which unauthorized access or disclosures occur – inappropriate employee access or unauthorized access by another entity.
Policies and Procedures and Employee Training
HIPAA policies and procedures are essential to HIPAA compliance as they guide employees on what is appropriate. HIPAA requires employee use and disclosure of PHI to be limited to the minimum necessary to perform their job functions. Your policies and procedures should dictate this, and employees should be trained on the policies and procedures to be aware of their obligations.Â
User Authentication, Access Controls, and Audit Controls
To ensure adherence to the minimum necessary standard, you must implement user authentication, access controls, and audit controls. User authentication provides unique login credentials for each employee, while access controls enable administrators to designate different PHI access levels using those unique login credentials. Also, based on the implementation of unique login credentials, audit controls track access to data to ensure that PHI is accessed appropriately by each employee.
44 Hacking Incidents Affected 1.9 Million
There were 44 hacking incidents reported in April 2024. These incidents affected 1,919,637, representing 12.51% of patients affected by April incidents.
Who reported hacking incidents, and how many patients were affected?
- 28 healthcare providers, 989,438 patients
- 11 business associates, 273,925 patientsÂ
- 4 health plans, 578,840 patients
- 1 healthcare clearinghouse, 77,434 patients
How to Prevent Hacking
As hacking incidents have become the leading cause behind healthcare breaches for several years, minimizing your risk of being targeted is crucial.
Security Risk Assessments and Remediation
Security risk assessments (SRAs) are vital for security and compliance. An SRA aims to identify weaknesses and vulnerabilities in your security practices to prepare yourself against potential threats. Once SRAs have been conducted, it is essential to create remediation plans to address any identified deficiencies.
Employee Cybersecurity Training
A significant portion of hacking incidents results from phishing emails. Employee cybersecurity training is essential to your organization’s overall security posture. Employees should be trained on recognizing phishing attempts and what to do if they suspect an incident has occurred.
April Improper Disposal and Loss of PHI
There were two other incidents reported in April 2024, affecting 77,434 patients. One was classified as improper disposal, and the other incident was a loss of PHI. These incidents affected 0.01% of patients affected by April 2024 healthcare breaches.Â
Proper PHI Disposal
The Privacy Rule does not dictate that any particular methods to dispose of trash containing PHI be used. Nonetheless, the Department of Health and Human Services (HHS) has developed guidance related to PHI disposal methods. Under this guidance, proper paper PHI disposal methods may include, but are not limited to:
- Shredding,
- Burning,
- Pulping,
- Pulverizing, or
- Other methods that render PHI unreadable and unable to be reconstructed.
Proper PHI disposal may also be accomplished by:
- Maintaining labeled prescription bottles and similar forms of PHI in a secure area in opaque bags; andÂ
- Using a business associate disposal vendor to remove and shred or otherwise destroy the PHI.Â
Other methods of disposal may also be appropriate, depending on the circumstances. Covered entities, in developing their policies and procedures, should consider the steps that other prudent healthcare and health information professionals are taking to protect patient privacy in connection with record disposal. In addition, if a covered entity is winding up a business, the covered entity may wish to consider giving patients the opportunity to pick up their records prior to any disposition by the covered entity.
When covered entities and business associates dispose of ePHI or electronic media that contains ePHI, they should make sure that the ePHI or electronic media are rendered unusable, unreadable, and/or inaccessible.Â
One common method of disposal that ensures data is rendered unusable, unreadable or inaccessible, is known as degaussing. Degaussing involves the application of a magnetic field to magnetic data, fully erasing the data in the process.
Another method of HIPAA ePHI disposal is known as clearing, which is using software or hardware products to overwrite media with non-sensitive data.Â
Entities that do not have degaussing equipment can dispose of electronic media by physically damaging it beyond repair, making the data inaccessible. HIPAA ePHI disposal can also be performed by disintegrating, pulverizing, melting, or incinerating the media. Â
Hardware, such as a physical hard drive, may be disposed of by physically damaging the drive beyond repair. This process is known as physical shredding.