ITRC Breach Report

At least 344 organizations in the healthcare industry suffered data breaches in 2022, according to a just-released report from the Identity Theft Research Center® (ITRC). This is the third consecutive year that healthcare organizations led all industries in the number of data compromises noted in the ITRC report.

Healthcare organizations represented 19 percent of the 1,802 breaches reported in the 2022 ITRC report, with Financial Services (268), Manufacturing and Utilities (249), and Professional Services (224) following behind. In 2021, 15 percent of the breaches tracked by ITRC affected healthcare companies.

James L. Lee, Chief Operating Officer of the Identity Theft Research Center® says that healthcare makes a logical target for bad actors online.

“Cybercriminals would much rather attack a single entity that holds the data of multiple organizations than attack the companies individually,” said Lee. “The healthcare industry is so large and encompasses so many entities that range from local small businesses to global powerhouses – all of which have access to sensitive personal information – it’s difficult to maintain uniform security across such a wide landscape.” 

“The combination of valuable data and varying levels of security makes the industry an attractive target, a condition that will likely continue for the foreseeable future. So long as there are organizations in the healthcare industry with weaker security protections, the entire industry will remain vulnerable to the impacts of attacks and breaches.”

Cyberattacks continued to be criminals’ weapons of choice, with 1,595 breaches in 2022, a slight decrease from 1,613 in 2021, with drops year-over-year in the number of breaches attributed to phishing, ransomware, and malware.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

Supply chain attacks outstripped malware attacks in 2022, with 115 instances affecting 1,743 organizations and at least 10 million people. Healthcare organizations were hit particularly hard by supply chain attacks as eight of the 12 supply chain breaches cited in the report affected business associates of healthcare organizations or health insurance companies. 

“Breaches affecting business associates illustrate why HIPAA Compliance must be the foundation upon which you build your privacy and security strategy,” said Marc Haskelson the CEO of Compliancy Group, the leading provider of automated HIPAA compliance solutions for healthcare providers and business associates. “It is impossible to prevent every data breach, especially when it happens outside of your organization. However, HIPAA compliance can limit your liability and expose potential problems with suppliers through the due diligence that takes place while forging a business associate agreement.”

The breaches listed below reinforce the importance of having well-crafted business associate agreements with vendors to maintain HIPAA compliance.

  • Shields Health Care Group, Inc.: 56 Entities; 1,804,069 Victims (provides MRI, PET/CT, and ambulatory surgical services)
  • Eye Care Leaders: 37 Entities; 3,372,880 Victims (provides ophthalmology-specific EHR and practice management software and services)
  • Practice Resources, LLC: 28 Entities; 942,138 Victims (provides management services in the areas of billing, electronic medical records, human resources, accounting, risk management, and development)
  • MCG Health, LLC: 10 Entities; 793,283 Victims (provides evidence-based care guidelines, analytics, and software to healthcare organizations)
  • Horizon Actuarial Services, LLC: 3 Entities; 2,292,080 Victims (provides technical and actuarial consulting services for many union health benefit plans)
  • Comstar, LLC: 2 Entities; 585,621 Victims (provides ambulance billing, collection, consulting, EPCR hosting, and client/patient service to municipal and non-profit ambulance services)
  • Adaptive Health Integrations: 1 Entity; 510,574 Victims (provides both LIS software services and billing/revenue services for laboratories, physicians’ offices, and related healthcare companies)
  • Connexin Software, Inc.: 1 Entity; 2,216,365 Victims (dba Office Practicum: provides software products including electronic medical records and practice management systems for use in pediatric clinical settings)

Lee stressed that covered entities like healthcare providers and business associates are responsible for protecting patient PHI and that they must take that responsibility seriously.

“Providers need to hold their vendors to the same standards of data protection they hold themselves. However, providers also need to look at their own protections to ensure they are strict and effective against the kind of attacks and accidents that lead to personal data being exposed or stolen,” said Lee. “We know that phishing attacks and impersonation scams are growing in complexity and frequency, but what are organizations doing to ensure every employee does not unwittingly reveal information or respond to an email or text they shouldn’t?” 

“Cybersecurity training cannot be a once-a-year online course. It must be a part of every organization’s culture and frequently reinforced for all employees if we are to see significant improvement against a very determined set of criminals. If providers improve their security posture and hold their vendors to the same standards, we will make progress.”

One disturbing trend highlighted in the report was a sudden lack of transparency in breach reporting. Only 58 percent of breach notices in 2022 provided details about the breach and how it occurred, compared to 93 percent in 2021. Lee credited HIPAA rules and regulations as the reason for more transparency in healthcare breach reporting.

“Generally speaking, healthcare organizations are more likely to report a data breach or other event than companies in other industries,” said Lee. “Although HIPAA enforcement actions by HHS have declined in the past few years, historically, HIPAA requirements

Healthcare Compliance Software - CG

Prevent Healthcare Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!