Supply chain attacks outstripped malware attacks in 2022, with 115 instances affecting 1,743 organizations and at least 10 million people. Healthcare organizations were hit particularly hard by supply chain attacks as eight of the 12 supply chain breaches cited in the report affected business associates of healthcare organizations or health insurance companies.
“Breaches affecting business associates illustrate why HIPAA Compliance must be the foundation upon which you build your privacy and security strategy,” said Marc Haskelson the CEO of Compliancy Group, the leading provider of automated HIPAA compliance solutions for healthcare providers and business associates. “It is impossible to prevent every data breach, especially when it happens outside of your organization. However, HIPAA compliance can limit your liability and expose potential problems with suppliers through the due diligence that takes place while forging a business associate agreement.”
The breaches listed below reinforce the importance of having well-crafted business associate agreements with vendors to maintain HIPAA compliance.
- Shields Health Care Group, Inc.: 56 Entities; 1,804,069 Victims (provides MRI, PET/CT, and ambulatory surgical services)
- Eye Care Leaders: 37 Entities; 3,372,880 Victims (provides ophthalmology-specific EHR and practice management software and services)
- Practice Resources, LLC: 28 Entities; 942,138 Victims (provides management services in the areas of billing, electronic medical records, human resources, accounting, risk management, and development)
- MCG Health, LLC: 10 Entities; 793,283 Victims (provides evidence-based care guidelines, analytics, and software to healthcare organizations)
- Horizon Actuarial Services, LLC: 3 Entities; 2,292,080 Victims (provides technical and actuarial consulting services for many union health benefit plans)
- Comstar, LLC: 2 Entities; 585,621 Victims (provides ambulance billing, collection, consulting, EPCR hosting, and client/patient service to municipal and non-profit ambulance services)
- Adaptive Health Integrations: 1 Entity; 510,574 Victims (provides both LIS software services and billing/revenue services for laboratories, physicians’ offices, and related healthcare companies)
- Connexin Software, Inc.: 1 Entity; 2,216,365 Victims (dba Office Practicum: provides software products including electronic medical records and practice management systems for use in pediatric clinical settings)
Lee stressed that covered entities like healthcare providers and business associates are responsible for protecting patient PHI and that they must take that responsibility seriously.
“Providers need to hold their vendors to the same standards of data protection they hold themselves. However, providers also need to look at their own protections to ensure they are strict and effective against the kind of attacks and accidents that lead to personal data being exposed or stolen,” said Lee. “We know that phishing attacks and impersonation scams are growing in complexity and frequency, but what are organizations doing to ensure every employee does not unwittingly reveal information or respond to an email or text they shouldn’t?”
“Cybersecurity training cannot be a once-a-year online course. It must be a part of every organization’s culture and frequently reinforced for all employees if we are to see significant improvement against a very determined set of criminals. If providers improve their security posture and hold their vendors to the same standards, we will make progress.”
One disturbing trend highlighted in the report was a sudden lack of transparency in breach reporting. Only 58 percent of breach notices in 2022 provided details about the breach and how it occurred, compared to 93 percent in 2021. Lee credited HIPAA rules and regulations as the reason for more transparency in healthcare breach reporting.
“Generally speaking, healthcare organizations are more likely to report a data breach or other event than companies in other industries,” said Lee. “Although HIPAA enforcement actions by HHS have declined in the past few years, historically, HIPAA requirements