Each month, we review healthcare breaches posted on the Office for Civil Rights (OCR) online breach portal to determine the leading causes and how the incidents could have been prevented. The OCR publicly posts healthcare breaches that affected 500 or more individuals to ensure that all affected patients know their information could have been potentially compromised.
Breaches dropped significantly in December 2022, with 2,169,696 records containing patients’ protected health information (PHI) breached, down from 6,904,441 records in November. After a one-month hiatus, Hacking/IT incidents remained the cause of the most significant amount of PHI breached in December 2022, with more than 1,960,136 records.
In December 2022, there were 38 large-scale breaches reported, 23 of which affected healthcare providers. These incidents compromised the PHI of 1,185,361 individuals, representing 54.6% of patients affected by the December incidents.
Business associates reported 11 additional incidents that affected 954,447 patients, representing 44% of patients affected.
Four health plans also reported incidents affecting 29,888 patients, representing 1.4% of affected patients.
Hacking incidents were responsible for 26 breaches reported in December 2022. There were 10 breaches caused by unauthorized access or disclosure of PHI, one incident involving loss, and one incident involving theft of PHI.
December 2022 Healthcare Breaches and Hacking
Cybercriminals are still busy as hacking continued its streak at the top of the list of causes of healthcare breaches in December 2022. The 26 hacking incidents reported in December affected the PHI of 1,960,136 patients. These 26 incidents represented 90.3% of all documented records breached during the month.
Entities affected by hacking:
- 16 healthcare providers, 1,023,219 patients, 52.2% of patients affected by hacking
- 6 business associates, 907,029 patients, 46.3% of patients affected by hacking
- 4 health plans, 29,888 patients, 1.5% of patients affected by hacking
Types of hacking incidents:
- 15 hacks of network servers and other reasons, 1,635,094 patients, 83.4% of patients affected by hacking
- 7 email hacks, 47,352 patients, 2.4% of patients affected by hacking
- 3 Other Causes, 276,788 patients, 14.1% of patients affected by hacking
- 1 laptop, 902 patients, >0.1% of patients affected by hacking
How to Prevent Hacking Incidents
As hacking incidents have become the leading cause behind healthcare breaches for several years, minimizing your risk of being targeted is crucial.
Security Risk Assessments and Remediation
Security risk assessments (SRAs) are vital for security and compliance. An SRA aims to identify weaknesses and vulnerabilities in your security practices to prepare yourself against potential threats. Once SRAs have been conducted, it is essential to create remediation plans to address any identified deficiencies.
Employee Cybersecurity Training
A significant portion of hacking incidents results from phishing emails. Employee cybersecurity training is essential to your organization’s overall security posture. Employees should be trained on recognizing phishing attempts and what to do if they suspect an incident has occurred.
December 2022 Healthcare Breaches and Unauthorized Access or Disclosure
Incidents of unauthorized access or disclosures of PHI can occur in two ways – an authorized employee accesses PHI inappropriately, or an unauthorized party gains access to PHI. December 2022 recorded ten incidents of unauthorized access or disclosure of PHI. These incidents affected 168,386 patients, representing 7.8% of the breached records reported in December.
Entities affected by unauthorized access or disclosure:
- 4 business associates, 8,418 patients, 5% of patients affected by unauthorized access or disclosure
- 6 healthcare providers, 159,968 patients, 95% of patients affected by unauthorized access or disclosure
Types of unauthorized access or disclosure:
- 1 electronic medical records incident, 1,891 patients, 1.1% of patients affected by unauthorized access or disclosure
- 3 network server incidents, 114,689 patients, 68.1% of patients affected by unauthorized access or disclosure
- 4 email incidents, 46,865 patients, 29.6% of patients affected by unauthorized access or disclosure
- 2 paper/film, 1,914 patients, 1.1% of patients affected by unauthorized access or disclosure
How to Prevent Unauthorized Access or Disclosure
As we mentioned, there are two ways in which unauthorized access or disclosures occur – inappropriate employee access or unauthorized access by another entity.
Policies and Procedures and Employee Training
HIPAA policies and procedures are essential to HIPAA compliance as they guide employees on what is appropriate. HIPAA requires employee use and disclosure of PHI to be limited to the minimum necessary to perform their job functions. Your policies and procedures should dictate this, and employees should be trained on the policies and procedures to be aware of their obligations.
User Authentication, Access Controls, and Audit Controls
To ensure adherence to the minimum necessary standard, you must implement user authentication, access controls, and audit controls. User authentication provides unique login credentials for each employee, while access controls enable administrators to designate different PHI access levels using those unique login credentials. Also, based on the implementation of unique login credentials, audit controls track access to data to ensure that PHI is accessed appropriately by each employee.
December 2022 Healthcare Breaches and Other Causes
In December 2022, one theft was reported to OCR that affected 39,000 individuals, representing 1.8% of the breached records reported in December. The theft involved an electronic device. One other portable electronic device containing 2,174 patient records was lost, representing 0.1% of records breached in December.