The Department of Health and Human Services’ Office for Civil Rights were inundated during January with healthcare data breaches of 500 or more records at a rate of more than one a day.
It has already been widely comment that 2019 was a very bad year for healthcare data breaches with 510 data breaches filed by HIPAA-covered entities and their business associates. That is the same as a rate of 42.5 data breaches monthly. January’s figures are an improvement on the previous mont, with a reporting rate of 1.03 breaches per day and a 15.78% decrease in reported breaches as opposed to December 2019.
While the number of breaches actually fell, the number of breached records grew by 17.71% from one month to the next, 462,856 healthcare records were impacted across 32 reported data breaches. As the graph below would seem to suggest, the severity of data breaches has increased in the last few years.
Largest Healthcare Data Breaches in January 2020
|Name of Covered Entity||State||Covered Entity Type||Individuals Affected||Type of Breach||Location of Breached Information|
|PIH Health||CA||Healthcare Provider||199,548||Hacking/IT Incident|
|Douglas County Hospital d/b/a Alomere Health||MN||Healthcare Provider||49,351||Hacking/IT Incident|
|InterMed, PA||ME||Healthcare Provider||33,000||Hacking/IT Incident|
|Fondren Orthopedic Group L.L.P.||TX||Healthcare Provider||30,049||Hacking/IT Incident||Network Server|
|Native American Rehabilitation Association of the Northwest, Inc.||OR||Healthcare Provider||25,187||Hacking/IT Incident|
|Central Kansas Orthopedic Group, LLC||KS||Healthcare Provider||17,214||Hacking/IT Incident||Network Server|
|Hospital Sisters Health System||IL||Healthcare Provider||16,167||Hacking/IT Incident|
|Spectrum Healthcare Partners||ME||Healthcare Provider||11,308||Hacking/IT Incident|
|Original Medicare||MD||Health Plan||9,965||Unauthorized Access/Disclosure||Other|
|Lawrenceville Internal Medicine Assoc, LLC||NJ||Healthcare Provider||8,031||Unauthorized Access/Disclosure|
2019 witnessed a huge increase in healthcare data breaches that were a result of hacking/IT incidents. In 2019, over 59% of data breaches reported to the HHS’ Office for Civil Rights were the due to hacking, malware, ransomware, phishing attacks, and other IT security violations.
Hacking/IT incidents were still the main feature of the breach reports in January and accounted for 59.38% of all breaches reported (19 incidents). 28.13% of reported breaches were classified as unauthorized access/disclosure data breaches (9 incidents), there were two reported theft incidents, both involving physical files, and 2 cases of improper destruction of physical records. Ransomware attacks went on impacting plague the healthcare industry, but phishing attacks are by far the biggest cause of healthcare data breaches. As the above table shows, these attacks can see the PHI of tens of thousands breached.
Hacking/IT incidents are normally to be the most damaging type of breach and involve more healthcare records than other varieties of breach. In January, 416,275 records were breached in hacking/IT incidents. The average breach size was 21,909 records and the median breach size was 6,524 records. 26,450 records were breaches that happened arising out of unauthorized access/disclosure incidents. The average breach size was 26,450 records and the median breach size was 2,939 files.
11,284 records were apprehended in theft incidents with an average breach size of 5,642 records. The two improper disposal of files incidents witnessed 2,812 records discarded without first rendering files unreadable and undecipherable. The average breach size was recorded as 1,406 records.
Ongoing security awareness tutorials for staff has been shown to reduce susceptibility to phishing attacks, but hackers are creating more and more complex attacks. It is often hard to distinguish a phishing email from a genuine message, especially if it is a business email compromise scam.
What is needed to prevent these attacks from occurring is a strong security strategy and no one technical solution will be effective at blocking all phishing campaigns. Defenses should include an advanced spam filter to cut out phishing messages at source, a web filter to restrict access to websites hosting phishing packages, DMARC to spot email impersonation attacks, and multi-factor authentication to prevent impacted details from being used to access email accounts.
Covered Entity Healthcare Data Breaches
Healthcare bodies were the most impacted entities by data breaches in January with 25 reported breaches of 500 or more healthcare records. Five breaches were reported by health plans, and two breaches were made known by business associates of HIPAA-covered group. There were three additional data breaches made known by covered entities that had conducted some business work.
Healthcare Data Breaches Compared State by State
HIPAA covered outfits and business associates in 23 states reported data breaches in January. California and Texas were the most impacted with three reported breaches in each state. There were two breaches reported in each of Florida, Illinois, Maine, Minnesota, and New York, and one breach was made known in each of Alabama, Arizona, Colorado, Connecticut, Georgia, Iowa, Indiana, Kansas, Maryland, Michigan, North Carolina, New Jersey, Oregon, Pennsylvania, South Carolina, and Virginia.
HIPAA Enforcement During January 2020
There were no HIPAA fines sanctioned on HIPAA-governed entities or business associates by the HHS’ Office for Civil Rights or state attorneys general during January.
There was a significant increase in the amount of legal actions filed against healthcare organizations that have experienced data breaches linked to phishing and ransomware attacks.
January saw a lawsuit initiated against Health Quest over a July 2018 phishing attack, Tidelands Health is being sued in relation to a December 2019 ransomware attack, and a subsequent lawsuit was initiated against DCH Health System over a malware attack involving the Emotet and TrickBot Trojans that took place in October 2019. These lawsuits come after legal action against Kalispell Regional Healthcare and Solara Medical Supplies during December.
The trend has persisted during in February with many law firms trying to be the first to file lawsuits against PIH Health in California over a 2019 phishing attack that exposed the data of more than 200,000 people.
These HIPAA legal actions lawsuits may refer to HIPAA violations, but since there is no private cause of action allowable under HIPAA, legal action is taken in relation to breaches of state laws.