In another big month for healthcare breaches, the OCR Breach Portal listed 59 incidents affecting 8,799,300 patients. The most affected group was healthcare providers, reporting 36 incidents affecting 8 million patients, followed by 12 incidents reported by health plans. Although business associates reported 9 incidents, more patients were affected than health plan incidents. We’ll examine what caused January 2024 healthcare breaches and how they could have been prevented.
46 Hacking Incidents Affected 8.6 Million
There were 46 hacking incidents reported in January 2024. These incidents affected 8,687,089, representing 98.72% of patients affected by January incidents.
Who reported hacking incidents, and how many patients were affected?
- 28 healthcare providers, 7,940,054 patients
- 9 health plans, 101,208 patients
- 8 business associates, 643,693 patientsÂ
- 1 healthcare clearinghouse, 2,134 patients
How to Prevent Hacking
As hacking incidents have become the leading cause behind healthcare breaches for several years, minimizing your risk of being targeted is crucial.
Security Risk Assessments and Remediation
Security risk assessments (SRAs) are vital for security and compliance. An SRA aims to identify weaknesses and vulnerabilities in your security practices to prepare yourself against potential threats. Once SRAs have been conducted, it is essential to create remediation plans to address any identified deficiencies.
Employee Cybersecurity Training
A significant portion of hacking incidents results from phishing emails. Employee cybersecurity training is essential to your organization’s overall security posture. Employees should be trained on recognizing phishing attempts and what to do if they suspect an incident has occurred.
11 Incidents of Unauthorized Access or Disclosure
There were 11 incidents of unauthorized access or disclosure reported in January 2024. These incidents affected 77,088, representing 0.88% of patients affected by January incidents.
Who reported these incidents, and how many patients were affected?
- 6 healthcare providers, 53,437 patients
- 3 health plans, 21,595 patients
- 1 healthcare clearinghouse, 1,033 patients
- 1 business associate, 1,023 patients
How to Prevent Unauthorized Access or Disclosure
As we mentioned, there are two ways in which unauthorized access or disclosures occur – inappropriate employee access or unauthorized access by another entity.
Policies and Procedures and Employee Training
HIPAA policies and procedures are essential to HIPAA compliance as they guide employees on what is appropriate. HIPAA requires employee use and disclosure of PHI to be limited to the minimum necessary to perform their job functions. Your policies and procedures should dictate this, and employees should be trained on the policies and procedures to be aware of their obligations.Â
User Authentication, Access Controls, and Audit Controls
To ensure adherence to the minimum necessary standard, you must implement user authentication, access controls, and audit controls. User authentication provides unique login credentials for each employee, while access controls enable administrators to designate different PHI access levels using those unique login credentials. Also, based on the implementation of unique login credentials, audit controls track access to data to ensure that PHI is accessed appropriately by each employee.
January Loss and Theft
One healthcare provider reported an incident of theft, affecting 34,016 patients. While another healthcare provider reported an incident of loss, affecting 1,107 patients. These two incidents combined affected less than 1% of patients affected by January 2024 healthcare preaches.