Share this article on:
2014 has been a landmark year, although unfortunately for the healthcare industry, for the wrong reasons. This year has seen some of the largest recorded HIPAA data breaches ever to affect the healthcare industry, exposing the protected health data of millions of patient and costing the healthcare industry as a whole many tens of millions in fines and levies.
The healthcare industry accounted for 42.3% of all data breaches recorded this year according to the Identity Theft Resource Center Report for 2014, and healthcare providers have been responsible for exposing the Protected Health Information of over 8 million Americans in 322 recorded breaches.
Healthcare Industry Warned of Major Breach Risk
The year had only just begun when the FBI released a stern warning to the healthcare industry that cybercriminals were likely to target the healthcare sector in the coming months, and that medical devices and hospital networks were under an elevated risk of a targeted attack. The FBI attributed the increased threat to the “mandatory transition from paper to electronic health records, lax cybersecurity standards, and a higher financial payout for medical records in the black market.”
Healthcare organizations were told in no uncertain words that they must change their perspective on data security as it is no longer a case of if they will suffer a security breach, but when it will happen and how severe it will be. It would appear that the warnings fell on deaf ears and many organizations that started to take data security seriously failed to plug all security holes before data was lost.
Major HIPAA Breaches in 2014 Exposed Millions of Patient Records
A combination of high financial rewards for criminals and substandard data security measures made networks increasingly likely to be attacked. Community Health Systems of Tennessee the worst hit this year, with hackers stealing 4.5 million of its patient records in a coordinated attack attributed to a group of Chinese hackers. The data was non-medical in nature, although names, addresses, dates of birth, phone numbers and Social Security numbers were included in the stolen data.
St. Joseph Health System had a major data breach exposing 405,000 records, a Sutherland Healthcare Solutions data breach exposed 342,197 patient records, Touchstone Medical Imaging, LLC lost 307,528 records, Community Health Center in Connecticut had 130,000 records compromised and 97,000 were exposed in a breach at NRAD Medical Associates, P.C.
Private and Public Sector Healthcare Targeted
Private healthcare providers were not the only healthcare entities to record major data breaches this year, with the Montana State Department of Public Health and Human Services also targeted by cybercriminals. They managed to steal the health data of 1.3 million individuals; which to put the scale of the theft into context is more than the estimated population of the state. The Indiana Health Service also suffered a major breach involving the exposure of 214,000 patient records.
Loss of laptop computers and mobile devices was a major problem throughout the year and has potentially exposed the data of many millions of Americans. Whether they were opportunistic thefts or targeted attacks for the data contained on the devices, all HIPAA breaches would have been avoided had the data on the devices been encrypted, as required by HIPAA Privacy and Security Rules.
OCR Issues Heavy Fines for Non-Compliance
The Department of Health and Human Services’ Office for Civil Rights is charged with policing HIPAA and it has been particularly active this year, investigating more incidents involving data breaches and issuing increased fines for data breaches resulting from lax security standards. New York-Presbyterian Hospital and Columbia University were the hardest hit, receiving a joint $4.8 million fine for HIPAA violations with the combined total being the highest ever settlement collected by the OCR. Concentra Heath Services was required to pay $1,725,220 in another major 2014 OCR HIPAA settlement.
The Cost of Data Breaches is far Higher than an OCR Fine
The Ponemon Institute released data this year on the true cost of data breaches, clearly showing the total cost to be far in excess of the fines issued by the Office for Civil Rights for non-compliance. In its report, 2014 Cost of Data Breach Study: Global Analysis, data breaches were estimated to cost an average of $3.5 million, while the total annual cost to the healthcare industry as a whole was estimated at $5.6 billion, not including the cost to the reputations of the organizations that have failed to protect patient data.
A bad year for data breaches across all business sectors
The non-financial business sector accounted for 32.7% of all breaches which exposed over 79 million records, including the massive Home Depot attack in which over 56 million records were stolen. In total across all sectors, ITRC recorded 761 data breaches for 2014 exposing 83,176,279 individual records.
A difficult 12 months to come
The increasing threat fueled by the high value of health data on the black market is likely to see the number of targeted attacks increase. The OCR has proposed even more random audits in 2015 as part of its program of HIPAA enforcement. Attorney Generals’ Offices are now fining healthcare organizations for failing to safeguard data under HIPAA and the recent Connecticut Supreme Court ruling that allowed a negligence lawsuit to be brought against a healthcare provider for violating federal privacy regulations indicate that 2015 could be another tough year for the healthcare industry.
The heavy penalties and increased likelihood of HIPAA non-compliance being discovered means healthcare organizations have now run out of time and must ensure the appropriate administrative, physical and technical safeguards are employed to improve data security and keep ePHI protected.
With new mobile and wearable devices on the verge of release and more apps capable of interacting with ePHI, it looks like 2015 could well see the trend of security breaches continue, especially if healthcare providers lack the necessary resources to dedicate to cybersecurity.