According to analysis of reported data, healthcare data breaches are increasing in their severity and scope across the country. Four recent data breaches impacted the healthcare sector and over 611,000 individuals.
In the first incident, in October 2021, an Alabama clinic’s cyberattack affected over 228,000 individuals. The cyberattack resulted in unauthorized data access of patient names, contact information, driver’s license numbers, Social Security numbers, birth dates, health insurance policy numbers, and limited health information. The Alabama clinic was unable to identify what specific information was accessed, but the clinic did provide notice to all its patients, whether or not their information was subject to unauthorized access or acquisition. The clinic stated it had no reason to believe that the data has been misused. The Alabama clinic implemented revised email policies, added password complexity rules, and updated network security hardware and login mechanisms.
The second cyberattack occurred in January 2022 in a cardiology office. This cyberattack affected over 287,00 individuals. The investigation discovered that an authorized party accessed files that contained Social Security numbers, driver’s licenses, health insurance information, names, birth dates, clinical information, and patient account numbers. They said they had no reason to believe that the patient information that was breached was misused. The cardiologists’ office implemented its response plan and took additional steps to secure their network.
The third incident occurred between April and June 2021 involving a home healthcare agency in New York. Through a phishing attack, an unauthorized party was able to gain access to a limited number of employee email accounts. This exposure affected over 15,000 individuals, in which an unauthorized party may have accessed names, passport numbers, Social Security numbers, driver’s license numbers, financial account information, medical information, usernames and passwords, and health insurance information. The New York home health agency began to notify the affected individuals of the data breach in February 2022, although the HIPAA Breach Notification Rule does require covered entities to notify affected individuals within 60 days of discovering the breach. The agency stated that they have taken many precautions to safeguard against this happening again, and that they are continually evaluating and modifying their practices and internal controls to secure personal information.
Lastly, a Texas emergency room department experienced a cyberattack in February 2022 that affected over 80,000 individuals. The cyberattack potentially exposed names, birth dates, addresses, and COVID-19 testing results of individuals. The Texas emergency department sent out breach notification letters to the affected individuals and is offering 12 months of identity theft monitoring to those affected.
Issue:
As cyberattacks continue to rise in the healthcare sector, each facility must be proactive in preventing these attacks. Nursing facility leaders and the Privacy Officer must collaborate with their IT department to ensure that the sensitive data that is housed within their computer systems is protected. All staff who have access to the computer network should be trained on best practices in preventing data breaches and what they must do to assist in the prevention of these breaches. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6 Data Integrity.
Discussion Points:
- Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices in preventing data breaches.
- Train all appropriate staff on best practices to prevent, detect, and respond to data breaches. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing data breaches and securing PHI.
