HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Data Breaches Occur in Most Industry Sectors

Healthcare organizations and other HIPAA-covered entities are required to report PHI data breaches to the Department of Health and Human Services’ Office for Civil Rights, so it is easy to track the security breaches suffered over the past few years. However, PHI breaches are not specific to the healthcare industry. Protected Health Information is stored by all manner of organizations, and all are at risk of suffering PHI data breaches.

According to a recent study conducted by Verizon Enterprise Solutions, PHI data breaches have been suffered by 90% of companies, including non-healthcare organizations. PHI is not just stored by healthcare providers and insurers. PHI is contained in HR files, in addition to employee program data and workers’ compensation schemes.

Verizon completed an analysis of PHI data breaches that have occurred over the course of the past 20 years. 1,931 individual PHI data breaches were analyzed as part of the study. Those data security incidents exposed the PHI of 392 million patients and employees. The HHS’ Office for Civil Rights and the Department of Veteran Affairs keep records of PHI data breaches, which were analyzed during the study, although data were taken from other sources from 25 different countries around the globe.

The Verizon 2015 Protected Health Information Data Breach Report is due to be published next month, although the lead author, Suzanne Widup, spoke about the findings from the study last week. She said that hackers did not appear to be overly concerned about who stores the data or where PHI is located. The size of an organization is not particularly relevant either. Hackers are attacking large multi-national corporations, but also small to medium sized businesses. The most important consideration for them is how the data can be obtained.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Many companies believe they will not be targeted by hackers because they are not large enough to be a target. Many IT professionals and business owners believe hackers will target larger organizations that hold greater quantities of data. That could prove to be a big mistake.

Widup pointed out that in many cases, specific organizations are not targeted at all. Mistakes are made by employees that leave the door wide open to hackers. In some cases, it doesn’t even require a hacker to gain access to data. PHI may be inadvertently stored on servers that are accessible via the internet, firewalls may be accidentally turned off, or data sent via unsecure communication channels. According to Widup, many PHI data breaches are caused by as a result of employee errors.

Hackers and other cybercriminals often just look for data that can be easily stolen and sold. The reasons for hacking companies may be numerous, but in the majority of cases hackers are just looking to make easy money. Medical data is rarely targeted. Social Security numbers are what many cybercriminals are after. Health information is often stored alongside SSNs so it is also taken. It is actually personal information that is required, as it can be used to commit Identity theft and tax fraud.

The Verizon study showed that while the healthcare industry is heavily regulated under the Health Insurance Portability and Accountability Act, healthcare providers and other HIPAA-covered entities are still suffering data breaches. A high percentage of healthcare PHI data breaches occur as a result of unencrypted portable storage devices and laptop computers being lost or stolen.

Employing data encryption on those devices may not stop 100% of PHI data breaches, but the majority would be prevented. Non-healthcare organizations must also pay attention to data stored in personnel files. Budgets may be spent on improving cybersecurity protections, but oftentimes IT departments tend to concentrate on keeping customer data protected. Data stored in employee files are often neglected. Criminals don’t care where data are stored. If protections are not put in place to protect all forms of PHI, it is only a matter of time before PHI data breaches will be suffered.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.