There have been a total of 132 healthcare data breaches, impacting over 6.8 million individuals, reported to the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) data breach portal so far in 2022. In March 2022, 35 healthcare data breaches were reported to the portal, which affected almost 2.3 million individuals. This reflects a decrease in healthcare data breaches for the second month in a row.
Healthcare data breaches that affect greater than 500 individuals must be reported to OCR’s data breach portal within 60 days of discovering a breach. Therefore, not all healthcare data breaches for February and March 2022 may have been reported. The data breaches reported to OCR for 2022 include:
- January: 50 breaches affecting 2,316,419 individuals
- February: 47 reported breaches affecting 2,254,895 individuals
- March: 35 reported breaches affecting 2,297,041 individuals
The majority of healthcare data breaches are hacking/IT incidents. A recent report revealed that ransomware, double extortion, and software vulnerability exploits were increasingly used rather than traditional data encryption. The largest healthcare data breach reported in March 2022 affected 318,379 victims.
Issue:
Healthcare organizations should implement technical and administrative safeguards in order to effectively detect and respond to security incidents. Nursing facility leaders and the Privacy Officer must collaborate with their IT department to ensure that the sensitive data that is housed within their computer systems is protected. All staff who have access to the computer network should be trained on best practices in preventing data breaches and what they must do to assist in the prevention of these breaches. All staff must fully understand how they can help safeguard protected health information (PHI).
Discussion Points:
- Review policies and procedures related to HIPAA, PHI, and the Privacy Rule. Ensure that they address how to secure PHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update these documents as new information becomes available.
- Train all staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, and unauthorized release of PHI. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff, and that each person demonstrates understanding and competency.
