August 2021 Healthcare Breaches

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) publicly posts breaches affecting 500 or more patients to their online breach portal, known as the “HIPAA Wall of Shame.” In August 2021, there were 38 breaches posted on the portal, affecting 5,120,289 patients. August 2021 healthcare breaches predominantly consisted of hacking incidents affecting healthcare providers, with 4,656,453 patients affected by hacking incidents targeting healthcare providers.

Overall, August 2021 healthcare breaches:

  • Affected 30 healthcare providers, representing 97.63% of total patients affected
  • Affected 4 business associates, representing 1.29% of total patients affected
  • Affected 4 health plans, representing 1.07% of total patients affected

August 2021 Hacking Incidents Affected 4.7 Million Patients

Hacking incidents are generally the leading cause behind healthcare breaches, and August was no different. In fact, 31 of the 38 August reported breaches were due to hacking incidents, representing 92.33 % of patients affected by August breaches (4,727,350 patients). 

  • 25 healthcare providers were targeted by hacking incidents, affecting 4,656,453 patients, representing 98.5% of patients affected by hacking
  • 4 business associates were targeted by hacking incidents, affecting 66,201 patients, representing 1.40% of patients affected by hacking
  • 2 health plans were targeted by hacking incidents, affecting 4,696 patients, representing 0.10% of patients affected by hacking

Hackers infiltrated these healthcare organizations through two methods, network server hacks and email hacks (phishing). 

There were:

  • 18 network server hacking incidents, affecting 4,385,486 patients, representing 92.77% of patients affected by hacking
  • 13 email hacking incidents, affecting 341,864 patients, representing 7.23% of patients affected by hacking

How HIPAA Compliance Prevents Hacking

Hacking should be a concern for any business, but especially those working in healthcare. Hackers often target healthcare organizations to gain access to the sensitive information held on patients (protected health information). While hacking incidents seem to be unavoidable, there are certain ways in which you can better prepare your organization against hacking.

Conduct an Annual Security Risk Assessment and Implement Remediation Plans

As part of HIPAA requirements, organizations working with patient information must conduct an annual security risk assessment (SRA). SRAs enable healthcare organizations to better protect themselves against hacking incidents as they assess the organization’s security practices to identify risks and vulnerabilities to sensitive data, such as PHI. To be HIPAA compliant and bolster cybersecurity, it is important to implement remediation plans to address deficiencies identified by conducting your SRA.

Security Policies and Procedures

HIPAA security policies and procedures dictate minimum measures that organizations must take to protect electronic protected health information (ePHI). These measures include encryption, user authentication, access controls and audit logs, all of which make it more difficult for a hacker to infiltrate your organization’s systems.

Employee Cybersecurity Awareness Training

Employee error is one of the leading causes behind breaches. Hackers often target employees through phishing emails by posing as a trusted entity, meant to trick employees into clicking a malicious link or divulging login credentials. As a major risk factor to your organization’s security, it is important to regularly train employees (HIPAA requires annual training) on cybersecurity best practices, and particularly, how to recognize phishing attempts.

Business Associate Agreements

Healthcare providers are often targeted by hackers through their business associates, as many fail to adequately safeguard PHI. This is why the HHS requires business associates to be HIPAA compliant and enter into business associate agreements (BAAs) with their healthcare clients. BAAs are legal contracts that require each signing party to be HIPAA compliant, and be responsible for maintaining their compliance. 

Let’s Simplify Compliance

Protect your organization from breaches. Become HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance