Tallying Healthcare Breaches

Despite leaps and bounds in cybersecurity tech, healthcare continues to be one of the most at-risk industries in the business sector.

Despite leaps and bounds in cybersecurity tech, healthcare continues to be one of the most at-risk industries in the business sector.

All one has to do is look at the “wall of shame,” the Department of Health and Human Services’ HIPAA Breach Reporting Tool website. Several large incidents have been added in the past few weeks, including a ransomware incident at Bayamón Medical Center and Puerto Rico Womena and Children’s Hospital, and another attack reported by Louisiana-based physician network Imperial Health, LLP.

Since its founding in September 2009, approximately 2,826 breaches affecting 202.1 million total individuals have been posted to the website. 271 of these breaches have been added this year, and of those, 161 were reported as hacking or IT incidents. On the flip side, just 18 breaches were attributed to loss or theft of unencrypted devices. This had previously been the number one culprit in major health data breaches—until encryption became more common, and hacker attacks surged in frequency.

Also increasing in occurrence are ransomware attacks, many of which go unreported to federal regulators because organizations do not believe they compromise protected health information. In 2016, the Department of Health and Human Services advised that most ransomware attacks result in breaches, and must be reported under the HIPAA Breach Notification Rule.

A Widening Scope

On May 21, the aforementioned Puerto Rico hospitals discovered that patient information was involved in a “blocking incident” that affected nearly 522,500 individuals total. Although they did not indicate whether they paid the hackers or remedied the situation themselves, the range of the attack makes it the largest ransomware-related breach on the tally this year.

Just two days earlier, Imperial Health made a similar discovery—they determined that an unknown party used a malicious virus to infect their system and encrypt its data. They do not believe that any patient information was stolen, but according to their report, the encrypted data included name, date of birth, Social Security number, address, phone number, medical record number, and other clinical information.

Meanwhile, the website tally is currently awaiting the addition of 2019’s largest cyber attack so far: a hacking incident that included at least 16 clients of the American Medical Collection Agency, including Quest Diagnostics and LabCorp, and affected over 23 million people.

Also pending: New Mexico provider Presbyterian Healthcare Services recently reported a phishing incident involving employee emails that reached more than 180,000 people. According to Presbyterian’s official statement, upon discovering the breach in June, they secured the affected email accounts, began to review the impacted emails, and alerted federal law enforcement.

Compliance is Key

HIPAA compliance can make a major difference when it comes to recognizing and reporting attacks on your organization. But ideally, you’ll be able to stop those attacks in their tracks, and that’s where our HIPAA Risk Assessment comes in.

With this comprehensive risk assessment, you can evaluate all levels of your organization, including:

  • Risk Management — Evaluate information and resources to ensure the capability to make risk management decisions
  • Policy and Procedures — Ensure policies and procedures follow best practices and are properly implemented
  • Infrastructure Security — Workstations, services, and server meet best practices security standards
  • Network security — Ensure network is secure and properly monitored
  • Data security — All PHI and data is secure and protected

Don’t end up the next tally on the wall of shame—contact us today.