The Atlanta, Georgia-based Peachtree Orthopedics reported that the records of over half a million patients were compromised in a cyberattack in September of 2016.
The firm first notified patients affected by the breach in October after reporting the incident to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). At the time the breach was reported, Peachtree had yet to release an official statement on the number of individuals whose protected health information (PHI) was breached in the cyberattack. Now that HHS records have been made public, the number of affected individuals sits at 531,000.
This PHI breach is the sixth largest in 2016 alone, adding to the combined 4 million records that have been breached over the course of the year. In years past, the number of records involved in breaches has been even more staggering. Nearly 5 million patients were affected in 2014, in addition to 8.7 million in 2015.
Cyberattacks on the Rise
Peachtree was the victim of a well-orchestrated cyberattack, instigated by a group of hackers. Cyberattacks targeting healthcare practices and organizations have been growing at an alarming rate over the past few years.
“The problem with data breaches of this magnitude is that the sensitive information exposed in the breach is worth significant sums on the black market,” said Marc Haskelson of Compliancy Group. “Health data and PHI presents an appealing target to hackers because of how lucrative it can be in comparison to other types of data.”
The rise in hacks and PHI breaches means that patient privacy and data security is fast becoming a serious concern for healthcare professionals of all kind.
PHI Breaches and HIPAA Compliance
It has yet to be determined whether Peachtree Orthopedics will face an OCR investigation or HIPAA fines in response to the breach.
HIPAA fines are never the result of a data breach in itself. The fines come after an OCR investigation reveals that HIPAA privacy and security standards were not being upheld or contributed to the breach in some way.
The OCR fine schedule for HIPAA violations ranges from $100-$50,000 per incident depending on the level of negligence or non-compliance that auditors discover in the course of their investigation. The best way that healthcare professionals can protect against HIPAA fines is to implement a robust and effective HIPAA compliance program throughout their organizations.
By implementing a HIPAA compliance program, healthcare professionals can mitigate damages done by data breaches and protect their patients’ sensitive health data.
