Each month, we review healthcare breaches posted on the Office for Civil Rights (OCR) online breach portal to determine the leading causes and how the incidents could have been prevented. The OCR publicly posts healthcare breaches that affected 500 or more individuals to ensure that all affected patients know their information could have been potentially compromised.

At least 6,242,589 records containing patients’ protected health information (PHI)  were breached in October 2022. Unauthorized disclosures resulted in the most significant number of breaches in October 2022, with more than 4,145,396 records.

In October 2022, there were 71 large-scale breaches reported, 55 of which affected healthcare providers. These incidents compromised the PHI of 4,966,192 individuals, representing 79.6% of patients affected by the October incidents. 

Business associates reported six additional incidents that affected 565,536 patients, representing 9.1% of patients affected. 

Ten health plans also reported incidents affecting 710,861 patients, representing 11.3% of affected patients. 

Hacking incidents were responsible for 47 breaches reported in October 2022. There were 17 breaches caused by unauthorized access or disclosure of PHI, four incidents involving theft, two resulting from loss of PHI, and one from improper disposal of PHI.

October 2022 Healthcare Breaches and Hacking

Cybercriminals are still busy as hacking continued its streak at the top of the list of causes of healthcare breaches in October 2022. The 47 hacking incidents reported in October affected the PHI of 2,025,704 patients. These 53 incidents represented 32.4% of all reported records breached during the month.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Easiest to Do Business With

Entities affected by hacking:

  • 37 healthcare providers, 1,270,176 patients, 62.79% of patients affected by hacking
  • 3 business associates, 68,947 patients, 3.4% of patients affected by hacking
  • 7 health plans, 686,581 patients, 33.9% of patients affected by hacking

Types of hacking incidents:

  • 33 hacks of network servers and other reasons, 1,365,052 patients, 67.4% of patients affected by hacking
  • 13 email hacks, 659,373 patients, 32.6% of patients affected by hacking
  • 1 other reason, 1,279 patients, >0.1% of patients affected by hacking

How to Prevent Hacking Incidents

As hacking incidents have become the leading cause behind healthcare breaches for several years, minimizing your risk of being targeted is crucial.

Security Risk Assessments and Remediation

Security risk assessments (SRAs) are vital for security and compliance. An SRA aims to identify weaknesses and vulnerabilities in your security practices to prepare yourself against potential threats. Once SRAs have been conducted, it is essential to create remediation plans to address any identified deficiencies.

Employee Cybersecurity Training

A significant portion of hacking incidents results from phishing emails. This is why employee cybersecurity training is essential to your organization’s overall security posture. Employees should be trained on recognizing phishing attempts and what to do if they suspect an incident has occurred.

October 2022 Healthcare Breaches and Unauthorized Access or Disclosure

Incidents of unauthorized access or disclosures of PHI can occur in two ways – an authorized employee accesses PHI inappropriately, or an unauthorized party gains access to PHI. October 2022 recorded 17 incidents of unauthorized access or disclosure of PHI. These incidents affected 4,145,396 patients, representing 66.4% of the breached records reported in October.

Entities affected by unauthorized access or disclosure:

  • 3 business associates, 486,589 patients, 12% of patients affected by unauthorized access or disclosure
  • 3 healthcare providers, 24,280 patients, 0.6% of patients affected by unauthorized access or disclosure 
  • 11 health plans, 3,624,527 patients, 87.4% of patients affected by unauthorized access or disclosure

Types of unauthorized access or disclosure:

  • 2 electronic medical records incidents, 3,007,679 patients, 72.6% of patients affected by unauthorized access or disclosure
  • 9 network server incidents, 616,825 patients, 14.8% of patients affected by unauthorized access or disclosure
  • 1 other incident, 495,808 patients, 12% of patients affected by unauthorized access or disclosure
  • 2 email incidents, 16,258 patients, 0.4% of patients affected by unauthorized access or disclosure
  • 1 paper/films incident, 8,022 patients, 0.2% of patients affected by unauthorized access or disclosure

How to Prevent Unauthorized Access or Disclosure

As we mentioned, there are two ways in which unauthorized access or disclosures occur – inappropriate employee access or unauthorized access by another entity.

Policies and Procedures and Employee Training

HIPAA policies and procedures are essential to HIPAA compliance as they guide employees on what is appropriate. HIPAA requires employee use and disclosure of PHI to be limited to the minimum necessary to perform their job functions. Your policies and procedures should dictate this, and employees should be trained on the policies and procedures to be aware of their obligations. 

User Authentication, Access Controls, and Audit Controls

To ensure adherence to the minimum necessary standard, you must implement user authentication, access controls, and audit controls. User authentication provides unique login credentials for each employee, while access controls enable administrators to designate different PHI access levels using those unique login credentials. Also, based on the implementation of unique login credentials, audit controls track access to data to ensure that PHI is accessed appropriately by each employee.

October 2022 Healthcare Breaches and Other Causes

In October 2022, other types of breaches were reported to OCR that affected a total of 67,244 individuals, representing 1% of the breached records reported in October.

  • 4 healthcare providers reported thefts of electronic medical records, portable electronic devices, including laptops, and other causes, 65,010 patients
  • 2 healthcare providers reported the loss of portable electronic devices, 2,234 patients 

Prevent HIPAA Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!