The Department of Health and Human Services (HHS) began tracking data breaches in 2009. The HHS publishes meaningful breaches on their “wall of shame.” A meaningful breach affects 500 or more individuals. July healthcare breaches reached an all-time high since tracking began, with 50 breaches occurring. The 50 healthcare breaches in July exposed the protected health information (PHI) of 25,375,729 individuals. So far, 2019 has seen more healthcare breaches than 2016, 2017, and 2018 combined.
A huge contributing factor to this is the breach of American Medical Collection Agency (AMCA) which exposed the records of 24 million patients, although investigations are still pending, and the impact may be larger.
Causes of July’s Healthcare Data Breaches
Of the 50 incidents in July, 35 were caused by hacking or IT incidents, with an additional 9 incidents a result of unauthorized access or disclosure of PHI. The remaining 5 incidents were a result of theft, loss, or improper disposal of devices.
Of the 35 hacking incidents reported in July, 21 of the healthcare breaches were the result of phishing emails. A phishing email is an email sent containing a malicious link, prompting the receiver to click the link. When the link is clicked, hackers are able to access the email account, and in some instances an organization’s entire network. There were also 19 incidents involving a network server accessed by unauthorized individuals.
The majority of healthcare breaches in July were covered entity (CE) breaches, 39 incidents. However, some of those breaches involved business associates (BAs) as well.
Healthcare Breaches Point to the Need for Advanced Security Practices
Although not explicitly mandated by HIPAA law, it is recommended that healthcare organizations implement multi-factor authentication (MFA) and encryption. MFA requires users to log in to systems using multiple identifying factors, such as a password in combination with a security question, one-time PIN, or biometrics. MFA mitigates the risk of unauthorized access as a compromised password would not be enough for hackers to access a system.
Data encryption masks data, users need a decryption key to unlock the data. Encryption protects data in the event of a healthcare breach resulting from the loss or theft of a device, as PHI will be unreadable.
Do You Need Help Addressing Cybersecurity?
Compliancy Group gives healthcare providers and vendors working in healthcare the tools to confidently address their HIPAA compliance in a simplified manner. Our cloud-based HIPAA compliance software, the Guard™, gives healthcare professionals everything they need to demonstrate their “good faith effort” towards HIPAA compliance.
To address HIPAA cybersecurity requirements, Compliancy Group works with IT and managed service provider (MSP) security partners from across the country, who can be contracted to handle your HIPAA cybersecurity protection.
Find out more about how Compliancy Group helps you simplify compliance and cybersecurity today!
