HIPAA breaches have increased exponentially as health information is extremely valuable on the black market. It seems like there is a new data breach in the news every day, a large portion of these breaches are a result of phishing incidents. Phishing incidents occur when a hacker sends a malicious link, usually via email, to one or more employee(s), misrepresenting their identity. In a recent phishing attack, hackers accessed Northwood Inc., a business associate based in Michigan.
Northwood Inc. HIPAA Breach
The phishing incident discovered in May of 2019 affected a total of 15,027 patients. Hackers gained access to an employee’s email account prompting Northwood Inc. to disable the employee’s email account and reset all employee’s email passwords. Investigation into the incident could not conclude if any data was accessed or stolen, however, as a precaution all emails and email attachments within the employee’s account were checked to determine if they contained any personal health information (PHI).
Investigators determined that PHI was contained in the email account of the hacked employees. Information that may have been accessed included name, address, date of birth, medical record number, diagnosis codes, treatment information, and health plan membership number. Information on healthcare providers and their CMS exclusion status may have also been compromised.
Northwood Inc. reported the incident to the Office for Civil Rights (OCR) and affected individuals have been notified via mail. In addition, Northwood has provided training to employees to prevent HIPAA breaches in the future.
How to Prevent a HIPAA Breach
With the prevalence of data breaches, it is imperative that healthcare organizations implement safeguards to protect PHI.
The Department of Health and Human Services (HHS) recommends ten practices that healthcare organizations should adopt to protect the sensitive information:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
Organizations that implement these practices will be able to better protect patient information.
Need Assistance Addressing Cybersecurity?
Compliancy Group gives healthcare providers and vendors working in healthcare the tools to confidently address their HIPAA compliance in a simplified manner. Our cloud-based HIPAA compliance software, the GuardTM, gives healthcare professionals everything they need to demonstrate their “good faith effort” towards HIPAA compliance.
To address HIPAA cybersecurity requirements, Compliancy Group works with IT and MSP security partners from across the country, who can be contracted to handle your HIPAA cybersecurity protection.