In the United States, breaches of electronic protected health information (ePHI) affecting 500 or more people must be made public. The breaches reported in 2020 are as follows:
|Cases currently under investigation|
|Type of breach||No. of cases from Jan. 1 to Dec. 31, 2020|
Source: US Department of Health and Human Services Office for Civil Rights – Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
We can see that most ePHI data breaches result from the malicious actions of cybercriminals. They target patient information to:
Commit identity theft – A single healthcare data record can contain a lot of personally identifiable information (PII), such as a patient’s name, contact information, Social Security number, insurance provider, and policy number. Using these, a fraudster can obtain fake IDs, open new lines of credit, and max out the victim’s insurance policy benefits.
Sell data on the dark web – Instead of committing identity theft themselves, some data thieves prefer to just sell the stolen ePHI on the black market and let others have a crack at fraud. Unlike credit card numbers that can easily become defunct, ePHI is much more difficult to change and therefore more reliable, so much so that a record can fetch up to $250 on the dark web.
Buy and sell drugs and equipment – Fraudsters can use ePHI to purchase prescription medication and medical equipment, which they can resell later on.
Extort healthcare institutions – Cybercriminals have no qualms about endangering the lives of people in dire need of medical services and locking up hospital computer systems with ransomware to extort corporate healthcare providers.
The good news is that ePHI data breaches are largely avoidable, provided that healthcare institutions and their third-party partners take care not to commit these common HIPAA mistakes.
Not encrypting digital records and requiring identity verification
HIPAA requires that ePHI be encrypted and safeguarded so that only authorized parties can access these. In July 2020, Lifespan Health System Affiliated Covered Entity reached an agreement with the Department of Health and Human Services to pay over $1 million for failing to encrypt ePHI in an employee’s stolen laptop. The theft exposed the sensitive health information of over 20,000 patients.
Not providing HIPAA training to staff
It may sound obvious that nurses should not transmit personally identifiable health information about their patients through social media chat apps, but some just don’t know any better. Some may even think that it’s just an expedient way of sending urgently needed information. Regular HIPAA training will correct this and other bad habits that lead to the exposure of patient information.
Not disposing of ePHI properly
HIPAA’s data accessibility rules require health providers to keep ePHI and their corresponding backups for seven years. Once this period elapses, providers may destroy the data to relieve themselves of the risk of exposing such data.
However, the regular way of deleting files allows for their recovery in case they were mistakenly deleted. Health institutions must permanently delete the information so that it is unrecoverable. Additionally, decommissioned data storage devices must be completely wiped of files, if not completely destroyed, so that ePHI will not fall into the wrong hands.
Not undertaking regular organizational risk analysis
Awareness of weaknesses is key to improving organizational performance. If you don’t regularly assess your organization’s compliance with HIPAA, then you’ll likely won’t know of the looming HIPAA violation that would cost you dearly.
To remove any biases, assumptions, and blind spots, you’ll want a third party like Healthy IT to assess your business.
Striving toward 100% HIPAA compliance?
Turn to Healthy IT for critical healthcare IT support. We specialize in setting up and implementing HIPAA-compliant IT systems that provide the best possible experience for your patients.