The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) reported 32 January healthcare breaches, affecting 462,856 patients. Of the reported incidents, there were 19 breaches due to hacking/IT incidents, 9 breaches from the unauthorized access/disclosure of protected health information (PHI), 2 breaches due to theft, and 2 breaches due to improper disposal of PHI.
Hacking / IT Incidents Causing January Healthcare Breaches
The majority of January healthcare breaches were due to hacking/IT incidents, with 89.9% of the total breaches reported in January caused by this type of incident. Hacking/IT incidents affected 416,275 patients. The following chart depicts the type of hacking/IT incidents that caused January healthcare breaches, including how many patients were affected by each:
- Email Hacks Affected 352,986 Patients
-
- MHMR Tarrant County: affected 6,524 patients
- Hospital Sisters Health System: affected 16,167 patients
- Village Senior Services Corporation d/b/a VillageCareMAX: affected 2,645 patients
- Village Center for Care d/b/a VillageCare Rehabilitative and Nursing Center: affected 674 patients
- REVA, INC.: affected 1,000 patients
- Phoenix Children’s Hospital: affected 1,860 patients
- Children’s Hope Alliance: affected 4,564 patients
- PIH Health: affected 199,548 patients
- Spectrum Healthcare Partners: affected 11,308 patients
- InterMed, PA: affected 33,000 patients
- CAH Holdings, Inc.: affected 1,158 patients
- Native American Rehabilitation Association of the Northwest, Inc.: affected 25,187 patients
- Douglas County Hospital dba Alomere Health: affected 49,351 patients
- EMR/Network Server Hacks Affected 6,120 Patients
- Virginia Department of Medical Assistance Services: affected 6,120 patients
- Network Server Hacks Affected 54,109
-
- Central Kansas Orthopedic Group, LLC: affected 17,214 patients
- Manchester Ophthalmology, LLC: affected 6,846 patients
- Fondren Orthopedic Group L.L.P.: affected 30,049 patients
- Other Hacks Affected 3,060 Patients
-
- Personal Touch Home Services of Dallas, Inc.: affected 1,700 patients
- Lafayette Regional Rehabilitation Hospital: affected 1,360 patients
Avoid HIPAA fines by becoming HIPAA compliant today!
Unauthorized Access / Disclosures Causing January Healthcare Breaches
The unauthorized access or disclosure of protected health information (PHI) represented 8.2% of the total healthcare breaches in January, affecting 37,949 patients.
- Email Unauthorized Access / Disclosures Affected 8,719 Patients
-
- Cedarbrook Senior Care and Rehabilitation / County of Lehigh: affected 688 patientsÂ
- Lawrenceville Internal Medicine Assoc, LLC: affected 8,031 patientsÂ
- EMR Unauthorized Access / Disclosures Affected 1,182 Patients
-
- Beaumont Health: affected 1,182 patientsÂ
- Network Server Unauthorized Access / Disclosures Affected 2,713 Patients
-
- Cook County Health: affected 2,713 patientsÂ
- Paper/Films Unauthorized Access / Disclosures Affected 15,370 Patients
-
- Robert S. Smith MD Inc DBA Boston Scientific Pathology: affected 6,940 patients
- UnitedHealth Group Health Plan Single Affiliated Covered Entity: affected 934 patients
- Solara Medical Supplies, LLC: affected 1,531 patients
- RCM Enterprise Services, Inc.: affected 5,965 patients
- Other Unauthorized Access / Disclosures Affected 9,965 Patients
- Original Medicare: affected 9,965 patientsÂ
Theft / Improper Disposal Causing January Healthcare Breaches
January healthcare breaches caused by theft of PHI accounted for 0.5% of breaches, affecting 2,497 patients. The improper disposal of PHI represented 1.3% of breaches, affecting 6,135 patients.
How to Protect Against Healthcare Breaches
As healthcare organizations are increasingly targeted by hackers, it is important to understand how you can protect your organization against breaches.Â
The Department of Health and Human Services (HHS) recommends the following ten cybersecurity practices:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
In addition to implementing the recommended cybersecurity practices, to ensure that these practices are effective, it is essential to train employees. Employee training is required to be conducted annually. Training must be conducted on HIPAA standards, as well as your organization’s internal administrative policies and procedures. Employee training should also include how to recognize phishing emails. A phishing email is an email sent to employees, impersonating a trusted entity, usually prompting recipients to click on a malicious link that enables hackers to access the employee’s computer. This type of attack is occurring more frequently as hackers become more sophisticated.Â