The number of reported healthcare data breaches affecting greater than 500 individuals decreased to 43 in March 2022, which is well below the 12-month average of 57.75 a month. Healthcare data breaches that affect greater than 500 individuals are required to be reported to the US Department of Health and Human Services’ Office for Civil Rights (OCR) within 60 days of discovery.
The majority of the healthcare data breaches reported in March were hacking/IT incidents, which accounted for almost 91% of all reported data breaches and just over 98% of breached healthcare records. Over 3 million individuals were affected by the hacking incidents. Thirty-one of the incidents involved hackers gaining access to network servers where patient data was stored, and 10 of the incidents involved unauthorized individuals gaining access to employee email accounts.
Of the 25 reported data breaches that affected 10,000 or more individuals, all but one were hacking incidents. The largest data breach affected over half a million individuals. In this breach it was discovered that an employee email account had been accessed by unauthorized individuals and was used in a business email compromise (BEC) attack to try to divert payment to a third-party vendor. According to the Federal Bureau of Investigation (FBI), BECs may only be a small percentage of healthcare data breaches, but they are often the biggest cause of losses to cybercrime.
In March 2022 there were no HIPAA enforcement actions announced by OCR or state attorneys general.
Issue:
Hackers seek to compromise digital devices, including computers, smartphones, tablets, and even entire networks. Hacking is often motivated by financial gain. Nursing facility leaders and the Privacy Officer must collaborate with their IT department to ensure that the sensitive data that is housed within their computer systems is protected. All staff who have access to the computer network should be trained on best practices in preventing data breaches and what they must do to assist in the prevention of these breaches. All staff must fully understand how they can help safeguard protected health information (PHI).
Discussion Points:
- Review policies and procedures related to HIPAA, PHI, and the Privacy Rule. Ensure that they address how to secure PHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update these documents as new information becomes available.
- Train all staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, and unauthorized release of PHI. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff, and that each person demonstrates understanding and competency.
