Feature

2019 health care data breaches setting records

April Sather
April Sather

A record-breaking 50 health care data breaches involving more than 500 records each were reported to HHS this past July, according to a report published in HIPAA Journal.

The article also said that more than 35 million individuals are known to have had their health care records “compromised, exposed, or impermissibly disclosed” thus far in 2019, which is more than the previous 3 full years combined.

One of the most recent data breaches impacted Premier Family Medical in Utah, when a hacking/IT incident occurred on the company’s network server on Sept. 7, according to HHS’ website. The company said it does not believe any information from its 320,000 patient records was taken.

Other health care data breaches reported this year include one from LabCorp, which announced on June 6 that “unauthorized activity” occurred on the webpage of American Medical Collection Agency, LabCorp’s external collection agency, impacting up to 7.7 million patients. Two days before that, Quest Diagnostics experienced a similar breach with American Medical Collection Agency, potentially impacting 11.9 million patients.

Doctor Reviewing Chart 
A record-breaking 50 health care data breaches involving more than 500 records each were reported to HHS this past July, according to a report published in HIPAA Journal.
Source:Shutterstock

“While the type of attack in Utah differed — ransomware vs. a third-party breach — all three involved organizations in the health care ecosystem,” April Sather, a fellow at the Cybersecurity Policy and Research Institute at the University of California, Irvine, told Healio Primary Care.

“The cost per health care record breached averages $429 per record, more than twice that of the next highest category, financial records, according to the latest IBM Ponemon Institute Cost of Data Breach Report,” she continued.

AMA data suggest that physicians cannot afford to be idle when it comes to protecting patient information. The association reported that in 2017, slightly more than 80% of 1,300 U.S. physicians surveyed experienced some type of cybersecurity attack, with the most common being phishing and computer viruses.

Data suggest the information hackers gather varies. A report published in Annals of Internal Medicine showed that among 1,461 breaches that occurred from Oct. 21, 2009, until July 1, 2019, 66% compromised “sensitive demographics," including birth dates, drivers’ license numbers and Social Security numbers, 65% compromised clinical or medical information and 35% compromised financial service information.

Sather offered a few tips to help health care systems protect their patient data and what to do, should a breach occur:

Encrypt all data using strong encryption algorithms.

Whether data is stored in a file system or database or moving across an online network, the data need to be encrypted and backed up, Sather said, adding that the backup systems should be offsite and tested often.

Plan for future breaches.

Developing a strategy before patient data has been breached is a much better approach than waiting until the system has been hacked, Sather said.

Incident response plans require communication, documentation, process and practice,” according to Sather. “Technology alone will not help you decide whether to pay a ransom, or when to call your insurance carrier, lawyer or forensics partner. The probability of making a poor decision under duress can be drastically reduced by having a clear plan that key stakeholders are familiar with.”

Follow a risk-based framework.

“Cybersecurity is not achieved through a single technology, process or person,” Sather explained. “Layers of defense, supported by governance and awareness, are required to have a chance at defending your data against increasingly sophisticated, professional and well-funded attackers. Do your research when choosing a framework.”

Keep communication open if a breach occurs.

Sather suggested health systems that experience a data breach “convey what happened in a transparent manner, show empathy for patient concerns, chart a clear path forward for preventing future incidents, and offers an incentive for loyalty” to help retain customers afterwards. – by Janel Miller

References:

HHS. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed Sept. 12, 2019.

HIPAA Journal. July 2019 Healthcare Data Breach Report. https://www.hipaajournal.com/july-2019-healthcare-data-breach-report. Accessed Sept. 12, 2019.

IBM Security. Cost of a data breach report. https://databreachcalculator.mybluemix.net/executive-summary. Accessed Sept. 12, 2019.

Jiang J, Bai G. Ann Intern Med. 2019;doi:10.7326/M19-1759.

Premier Family Medical. Utah County Medical Group to Notify Patients About Cybersecurity Attack. https://premierfamily.net/questions-about-notification-letter. Accessed Sept. 12, 2019.

Disclosure: Sather reports no relevant financial disclosures.

April Sather
April Sather

A record-breaking 50 health care data breaches involving more than 500 records each were reported to HHS this past July, according to a report published in HIPAA Journal.

The article also said that more than 35 million individuals are known to have had their health care records “compromised, exposed, or impermissibly disclosed” thus far in 2019, which is more than the previous 3 full years combined.

One of the most recent data breaches impacted Premier Family Medical in Utah, when a hacking/IT incident occurred on the company’s network server on Sept. 7, according to HHS’ website. The company said it does not believe any information from its 320,000 patient records was taken.

Other health care data breaches reported this year include one from LabCorp, which announced on June 6 that “unauthorized activity” occurred on the webpage of American Medical Collection Agency, LabCorp’s external collection agency, impacting up to 7.7 million patients. Two days before that, Quest Diagnostics experienced a similar breach with American Medical Collection Agency, potentially impacting 11.9 million patients.

Doctor Reviewing Chart 
A record-breaking 50 health care data breaches involving more than 500 records each were reported to HHS this past July, according to a report published in HIPAA Journal.
Source:Shutterstock

“While the type of attack in Utah differed — ransomware vs. a third-party breach — all three involved organizations in the health care ecosystem,” April Sather, a fellow at the Cybersecurity Policy and Research Institute at the University of California, Irvine, told Healio Primary Care.

“The cost per health care record breached averages $429 per record, more than twice that of the next highest category, financial records, according to the latest IBM Ponemon Institute Cost of Data Breach Report,” she continued.

AMA data suggest that physicians cannot afford to be idle when it comes to protecting patient information. The association reported that in 2017, slightly more than 80% of 1,300 U.S. physicians surveyed experienced some type of cybersecurity attack, with the most common being phishing and computer viruses.

Data suggest the information hackers gather varies. A report published in Annals of Internal Medicine showed that among 1,461 breaches that occurred from Oct. 21, 2009, until July 1, 2019, 66% compromised “sensitive demographics," including birth dates, drivers’ license numbers and Social Security numbers, 65% compromised clinical or medical information and 35% compromised financial service information.

Sather offered a few tips to help health care systems protect their patient data and what to do, should a breach occur:

Encrypt all data using strong encryption algorithms.

Whether data is stored in a file system or database or moving across an online network, the data need to be encrypted and backed up, Sather said, adding that the backup systems should be offsite and tested often.

Plan for future breaches.

Developing a strategy before patient data has been breached is a much better approach than waiting until the system has been hacked, Sather said.

Incident response plans require communication, documentation, process and practice,” according to Sather. “Technology alone will not help you decide whether to pay a ransom, or when to call your insurance carrier, lawyer or forensics partner. The probability of making a poor decision under duress can be drastically reduced by having a clear plan that key stakeholders are familiar with.”

Follow a risk-based framework.

“Cybersecurity is not achieved through a single technology, process or person,” Sather explained. “Layers of defense, supported by governance and awareness, are required to have a chance at defending your data against increasingly sophisticated, professional and well-funded attackers. Do your research when choosing a framework.”

Keep communication open if a breach occurs.

Sather suggested health systems that experience a data breach “convey what happened in a transparent manner, show empathy for patient concerns, chart a clear path forward for preventing future incidents, and offers an incentive for loyalty” to help retain customers afterwards. – by Janel Miller

References:

HHS. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed Sept. 12, 2019.

HIPAA Journal. July 2019 Healthcare Data Breach Report. https://www.hipaajournal.com/july-2019-healthcare-data-breach-report. Accessed Sept. 12, 2019.

IBM Security. Cost of a data breach report. https://databreachcalculator.mybluemix.net/executive-summary. Accessed Sept. 12, 2019.

Jiang J, Bai G. Ann Intern Med. 2019;doi:10.7326/M19-1759.

Premier Family Medical. Utah County Medical Group to Notify Patients About Cybersecurity Attack. https://premierfamily.net/questions-about-notification-letter. Accessed Sept. 12, 2019.

Disclosure: Sather reports no relevant financial disclosures.