Each month, we review healthcare breaches to determine the leading cause and how the incidents could have been prevented. We do so by examining the Office for Civil Rights (OCR) online breach portal. The OCR publicly posts healthcare breaches that affected 500 or more patients to ensure that all affected patients know their information could have been potentially compromised.

While February is considered the month of romance, hackers and ransomware criminals continued their love affair with other people’s protected health information (PHI).

February 2022 Healthcare Breaches

In February 2022, there were 36 large-scale breaches reported involving 1,338,384 patients. Most February 2022 healthcare breaches affected healthcare providers, with 25 incidents. These 25 incidents compromised the (PHI) of 683,516, representing just over 51% of patients affected by February incidents. Business associates reported five additional incidents. Business associate incidents affected 633,584 patients, representing 47.3% of patients affected. Six health plans also reported incidents affecting 21,284 patients and representing 1.6% of affected patients. In February, all of the incidents except one resulted from hacking incidents and unauthorized access or disclosure of PHI. There was also one incident of PHI loss involving a healthcare provider’s desktop computer reported that affected 4,500 patients, representing 0.3% of patients affected.

February 2022 Healthcare Breaches and Hacking

Hacking continued its streak at the top of the list of causes of healthcare breaches in February 2022. There were 29 hacking incidents reported in February that affected 1,271,334 patients. These 29 incidents represented 95% of patients affected by February incidents.

Entities affected by hacking:

  • 21 healthcare providers, 633,984 patients, 49.9% of patients affected by hacking
  • 5 business associates, 633,584 patients, 49.8% of patients affected by hacking
  • 3 health plans, 3,816 patients, 0.2% of patients affected by hacking

Types of hacking incidents:

  • 19 network server hacks,1,095,885 patients, 86.2% of patients affected by hacking
  • 10 email hacks, 175,449 patients, 13.8% of patients affected by hacking

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

How to Prevent Hacking Incidents

As hacking incidents have become the leading cause behind healthcare breaches for several years, minimizing your risk of being targeted is crucial.

Security Risk Assessments and Remediation

Security risk assessments (SRAs) are vital for security and compliance. The purpose of an SRA is to identify weaknesses and vulnerabilities in your security practices so that you can prepare yourself against potential threats. Once SRAs have been conducted, it is essential to create remediation plans to address any identified deficiencies.

Employee Cybersecurity Training

A significant portion of hacking incidents results from phishing emails. This is why employee cybersecurity training is essential to your organization’s overall security posture. Employees should be trained on recognizing phishing attempts and what to do if they suspect an incident has occurred.

February 2022 Healthcare Breaches and Unauthorized Access or Disclosure

Incidents of unauthorized access or disclosures of PHI can occur in two ways – an authorized employee accesses PHI inappropriately, or an unauthorized party gains access to PHI. In February 2022, there were 11 incidents of unauthorized access or disclosure of PHI. These incidents affected 62,550 patients, representing 4.7% of patients affected by February incidents.

Entities affected by unauthorized access or disclosure:

  • 3 healthcare providers, 45,082 patients, 72.1% of patients affected by unauthorized access or disclosure
  • 3 health plans, 17,468 patients, 27.9% of patients affected by unauthorized access or disclosure

Types of unauthorized access or disclosure:

  • 1 EMR incident, 45,082 patients, 72.1% of patients affected by unauthorized access or disclosure
  • 1 email incident, 10,467 patients, 16.7% of patients affected by unauthorized access or disclosure
  • 1 network server incident, 6,413 patients, 10.2% of patients affected by unauthorized access or disclosure
  • 1 paper/films incidents, 588 patients, 1% of patients affected by unauthorized access or disclosure

How to Prevent Unauthorized Access or Disclosure

As we mentioned, there are two ways in which unauthorized access or disclosures occur – inappropriate employee access or unauthorized access by another entity.

Policies and Procedures and Employee Training

HIPAA policies and procedures are an essential part of HIPAA compliance as they guide employees on what is appropriate. HIPAA requires employee use and disclosure of PHI to be limited to the minimum necessary required to perform their job functions. Your policies and procedures should dictate this, and employees should be trained on the policies and procedures so that they are aware of their obligations. 

User Authentication, Access Controls, and Audit Controls

To ensure adherence to the minimum necessary standard, you must implement user authentication, access controls, and audit controls. User authentication provides unique login credentials for each employee, while access controls enable administrators to designate different PHI access levels using those unique login credentials. Also, based on the implementation of unique login credentials, audit controls track access to data to ensure that PHI is accessed appropriately by each employee.

Prevent HIPAA Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!