December is a time for joyous celebration, but for 4 million patients, it was a rude awakening—a breach that risked their confidential information. Having your private information exposed has become a regrettable norm, with 720 large-scale breaches listed on the Office for Civil Rights (OCR) breach portal in 2024. In December 2024 alone, fifty incidents were reported, affecting 4,128,080 patients.
In our monthly healthcare data breach report, we’ll explore which entities were affected by incidents in December 2024 and what types of incidents were reported.
Hacking Most Cited Incident in December 2024
December 2024 saw 40 organizations report hacking incidents that impacted 3,490,050 patients. These hacking incidents accounted for 80% of the reported incidents and affected 85% of the patients impacted by healthcare breaches in December.
Hacking is the most common cause of healthcare breaches, which has led the OCR to launch a Ransomware Enforcement Initiative to investigate potential compliance failures in organizations that report these types of incidents.
How to Prevent Hacking
Hacking has been the primary cause of healthcare data breaches for years. Therefore, minimizing the risk of cyberattacks on your organization is crucial.
Security Risk Assessments and Remediation
Conducting Security Risk Assessments (SRAs) is essential for maintaining security and compliance. An SRA identifies weaknesses and vulnerabilities in your security measures to help you prepare for potential threats. After the assessment, create a remediation plan to address any identified shortcomings.
Employee Cybersecurity Training
Many hacking incidents originate from phishing emails. Employee cybersecurity training is vital to safeguard your organization. Employees need to be able to identify phishing attempts and know the appropriate response if they suspect an incident.
8 Incidents of Unauthorized Access or Disclosure
There are two ways in which unauthorized access or disclosures occur – inappropriate employee access or unauthorized access by another entity. There were eight incidents of unauthorized access or disclosure of protected health information (PHI) reported. These incidents affected 635,655 patients, representing 15.4% of patients exposed in December 2024 healthcare breaches.
How to Prevent Unauthorized Access or Disclosure
Unauthorized access or disclosure of sensitive patient information can have devastating consequences for healthcare organizations and the individuals they serve.This can include identity theft, financial fraud, discrimination, and a loss of trust in the healthcare system. To prevent unauthorized access or disclosure, healthcare organizations should implement a multi-layered approach to security.
HIPAA Policies and Procedures and Employee Training
HIPAA policies and procedures are crucial for HIPAA compliance. They provide guidance to employees on appropriate behavior concerning PHI. HIPAA mandates that employee use and disclosure of PHI be restricted to the minimum necessary to carry out their job functions. Your policies and procedures should reflect this, and employees should receive training on these policies and procedures to understand their responsibilities.
User Authentication, Access Controls, and Audit Controls
To ensure compliance with the minimum necessary standard, implement user authentication, access controls, and audit controls. User authentication gives unique login credentials to each employee. Access controls allow administrators to assign varying PHI access levels using these unique login credentials. Additionally, audit controls, based on unique login credentials, track data access to guarantee that PHI is accessed appropriately by each employee.
Two Incidents of Loss Reported in December 2024
Two additional healthcare breaches were reported in December 2024. They were classified as loss of PHI. These incidents affected 2,375 patients, representing 0.06% of patients affected by breaches in December.
