If you’re already following HIPAA compliance-related news, you’re probably already familiar with the “Wall of Shame.” If you’re just getting started, read on. The HIPAA Breach Notification Rule requires Covered Entities and Business Associates to report HIPAA cyber security breaches of protected health information (PHI) to the U. S. Department of Health and Human Services (HHS).
Breach means the acquisition, access, use or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the protected health information. HHS then investigates the breaches and the outcome can range from minor corrective actions to big monetary fines.
But that’s not all. Under the HITECH Act passed in 2009, the Secretary of HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are posted online at the HHS’ website for the world to see. This list is known in HIPAA circles as the “Wall of Shame.” The website allows the download of the list into Microsoft Excel and includes information such as the name of the covered entity responsible for the breach, when it was reported, the number of individuals affected by the breach and brief summaries of the breach cases that OCR has investigated and closed.
Breach reporting began September 23, 2009. As of July 19, 2019 there were 247 breaches to date in 2019. Each breach representing the unauthorized disclosure of the PHI of at least 500 individuals. At the conclusion of an investigation, a breach summary is made available to the public via the OCRs Breach Reporting Portal. The following is an example of a breach summary from AccDoc Solutions, outlining their 2018 hacking incident exposing their servers:
“A business associate (BA), AccuDoc Solutions, Inc., discovered on September 29, 2018, that an unauthorized user had gained access to a web server which contained the electronic protected health information (ePHI) for seven of its covered entity (CE) clients, affecting 2,652,537 individuals. While no data was exfiltrated, the ePHI that was potentially exposed included demographic information, account balances, and insurance policy information. In response to the breach, the BA terminated the unauthorized user’s access and improved technical safeguards. The CEs provided breach notification to affected individuals and the media. The BA provided breach notification to HHS on behalf of six out of seven CE clients. One CE notified HHS on its own. OCR obtained assurances that the BA implemented the corrective actions listed.”
A review of the current 2019 OCR breach investigations yields some interesting facts:
- Individuals impacted to-date: 169,839,78 102645994 individuals
- Average size of breaches: 41,726 individuals affected per breach
Top 5 Recent HIPAA Security Breaches:
1. American Collection Agency
- Patients impacted: 25 million
- AMCA is a medical collection company severing multiple large national healthcare clients. In May, the company disclosed they determined they were hacked for an eight month period from August 1, 2018 and March 30, 2019. HealthcareIT Security recently reported that 12 million Quest Diagnostic and 7.7 LabCorp patient data was impacted as part of this breach.
2. Dominion National
- Patients impacted: 2.6 Million
- In June of 2019, Dominion National, an insurer and administrator of dental and vision benefits, reported they identified an unauthorized access event. A subsequent review of the breach by a third-party security firm determined the hack may have started as early as August 2010. The compromised servers were determined to contain patient demographic information of current and former plan members.
3. Inmediata Health Group
- Patients impacted: 1.57 Million
- The data of 1.57 million Inmediata Health Group was exposed in January of 2019. A subsequent investigation determined a misconfigured database allowed for internal business operations webpages to be indexed on public search engines. Additionally, during the breach notification process multiple plan members reported receiving the notifications at their homes addressed to different patients. Breach data included personal information, claims data, and demographic information.
4. UW Medicine
- Patients impacted: 973,000
- In December of 2018, it was discovered that a misconfigured server resulted in internal files becoming publicly accessible on the internet. The breach data included research studies, labs, and large volumes of personal data.
5. Wolverine Solutions
- Patients impacted: 600,000
- WSG was the victim of a ransomware attack in September of 2018. However, many providers were not informed until well into 2019 that they were impacted by the breach. Blue Cross Blue Shield of Michigan and six health systems were identified as being impacted.
Causes of HIPAA Security Breaches and Other Considerations
The #1 cause of breaches is the combination of “Hacking” (145 occurrences), and “Unauthorized Access/Disclosure” (72 occurrences) totaling 67% of 2019 breach to-date. The break down of each breach type is as follows:
- Hacking/IT Incident (145)
- Unauthorized Access/Disclosure (72)
- Theft (22)
- Improper Disposal (3)
Over the past year, there have been a notable increase in the sophistication types of attacks. Carbon Black reported in a recent survey that over the past year 45% of healthcare organizations encountered attacks where the primary motivation was data destruction. In addition to this, Malwarebytes in their quarterly Cyber Crime Tactics and Techniques reported there was a 191% increase in ransomware attacks in Q1 2019.
More frightening is the fact these ransomware attacks can severely impact and delay patient care. Marin Community Clinics recently announced they were victims of a ransomware attack on June 19, 2019. During the event physicians were required to maintain paper charts which would be moved to their EHR platform at a later date. The hospital elected to pay an undisclosed amount and, were able to return their systems to safe operation on June 22.
What You Can Do About Cyber Security Breaches:
- There are many lessons which can be learned from these attacks. In today’s environment, it is not if but when you will get breached. As a result, proactively testing backups and your organization’s incident response plan is key minimizing the impact of a breach event.
- Encrypt your endpoint devices, and centrally managed them to ensure device compliance.
- Buy CYBER INSURANCE. Protecting against the financial impact of a security incident is extremely important. Additionally, depending on the policy and the nature of the breach you may be able to use to cover some portion of fines and penalties with insurance.
- Poor server configurations were the root cause of 2 of the top 5 breaches so far in 2019. IT Operations and Security leaders must insist on having secure server build processes, and long term should deploy automated build processes which have baseline security protocols established.
For more information regarding HIPAA and IT Security compliance please see our other related articles, review our HIPAA audit services, or reach out to us directly with your questions.
- What is HIPAA Compliance
- HIPAA Security Rule Requirements & Implementation Specifications
- Security Risk Analysis & HIPAA Compliance
Nick has over ten years of professional experience in public accounting and risk consulting, with an extensive background in healthcare payer/provider audit and compliance. Prior to Linford & Co. Nick worked in multiple healthcare audit, compliance, and consulting roles, including six years at PwC. He completed a Bachelor of Arts from Colorado State University in 2005, and later a Master in Accountancy. Nick has experience leading SOC 1, SOC 2, HITRUST and HIPAA Security audits. He takes pride in his ability to work with small start-ups and to lead multi-year projects with numerous large health systems and payers.