One of the worst nightmares of covered entities and business associates is experiencing a healthcare data breach. Not only does it compromise PHI (protected health information) of the patients, but it also puts the organization in an unfavorable position. Affected organizations incur considerable costs while detecting the causes and fixing the vulnerabilities related to the breach. Let’s see some recent ones, why they occurred, and whether the costs can be mitigated.
Recent healthcare data breach cases
Mille Lacs Health System suffered a phishing attack
Minnesota-based Mille Lacs Health System recently experienced a phishing attack – leading to a breach of over 10,000 patients’ PHI. It detected the incident last year on November 14th, 2019 and launched an investigation. After a thorough inspection, the health system found out that an unauthorized individual gained access to its employees’ email accounts from August 26th, 2019 to January 7th, 2020.
It was a standard phishing attack – employees got emails from the unauthorized individual who pretended to be an insider and asked for credentials. The information was later on used to gain access to other email accounts.
The PHI comprised consisted of names, DOB, clinical information, service dates, Social Security numbers, and so on. After detection, Mille Lacs Health System restricted unauthorized access of the outsider, and password resets were performed. Affected patients were notified of the situation on May 11th, 2020, offering them complimentary services.
Employees accessed EHR without authorization
Nebraska Medical Center, based in Omaha, suffered an internal breach. An employee accessed its EHR system without valid authorization and compromised the PHI of 1,311 patients. The hospital terminated the employee and notified all the affected patients. Nebraska Medicine, who owns Nebraska Medical Center, officially stated that the former employee did not gain access to sensitive information such as Social Security numbers, driver’s license numbers, and financial information.
However, back in December 2019, Nebraska Medicine faced the same situation – an employee inappropriately accessed patient records from July 11th, 2018, to October 1st, 2019. In this case, 1,149 patients were affected. The employee was terminated for the violation and the healthcare provider stated that retraining regarding access will be provided along with regular audits to ensure such incidents do not repeat themselves.
Why do healthcare data breaches occur?
One of the biggest reasons is that even though over 80% of providers suffer from and report data breaches, only a meager 5% of IT budgets are allocated for cybersecurity efforts. This leads to a lack of the necessary safeguards required to protect PHI as per HIPAA regulations. Solutions that can detect vulnerabilities, address gaps, and rectify them – effectively ensure HIPAA compliance – are available, but the budgets restrict and keep these tools out of reach of the providers. Thus, PHI may be protected with inadequate safeguards and later on, providers have to pay the price.
Other than that, the lack of proper training can be another compelling reason. As the case of Nebraska Medicine showed, the same incident occurred at two of their facilities – showing that employees did not have proper knowledge about the matter even after the first occurrence.
Ensuring HIPAA compliance is the only way
Irrespective of the size, budget, and scale of a healthcare provider, HIPAA compliance can be a taxing procedure. While data breaches are inevitable, you can still stay on the safe side by ensuring HIPAA compliance continuously – it will save you from costly fines and lawsuits. HIPAA Ready can help you out with compliance management. A robust HIPAA compliance software, HIPAA Ready has been built to reduce the administrative burden and simplify compliance. Ensure effective training management, conduct internal audits, and keep everyone on the same page. HIPAA Ready lets you keep all the information in a centralized location so that you can prepare for audits without hassle. Try out HIPAA Ready now to see how it simplifies compliance.