Winter 2023

Release of Information Report: Data Breaches on the Rise
By Diane E. Ferry, MS, RHIA
For The Record
Vol. 35 No. 1 P. 8

Data breaches in health care organizations are dramatically on the rise. According to US government data, the number of breaches in the first five months of 2022 nearly doubled over the same period in the previous year. A 2021 study by Critical Insight using Health and Human Services (HHS) information found that from 2018 to 2021, there was an 84% increase in the number of health care organization data breaches. In 2021, the number of victims of data breaches grew from 14 million in 2018 to 44.9 million.

In 2021, 93% of health care organizations experienced at least one data breach, while 57% had more than five breaches in 2021. In April 2022, HIPAA-regulated entities in 26 states reported breaches. New York and Ohio were the most affected states, with seven and six data breaches reported. Also, in April of 2022, 56 data breaches of 500 or more records were reported to the HHS Office for Civil Rights (OCR).

One of the largest data breaches in 2022 was at TriCare. Over five million records were affected by this breach. Back-up tapes were stolen while an employee was transporting tapes between facilities. The data on the backup tapes was encrypted; however, the encryption method did not follow a required federal standard. Health care facilities need better policies on the transport of health care data between facilities.

What Is Considered a Data Breach?
A data breach is when an unauthorized person gains access to protected health information (PHI) or when PHI has been lost. Examples are when a laptop that contains PHI is lost or stolen; when a phone, laptop, or computer containing PHI is hacked; or when a health care organization representative discloses PHI to an unauthorized person, either intentionally or unintentionally. According to HHS, a breach is considered an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI.

HIPAA requires all health care data breaches to be reported to the OCR. A summary of breaches of 500 or more records is published by the OCR.

According to the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), breaches involving electronic or physical copies of PHI must be reported by covered entities and their business associates. Reportable HIPAA breaches include ransomware attacks, improper disclosures, exposure of PHI, and unauthorized PHI access by employees and third parties. But there are PHI breaches that are exempted from the HIPAA Breach Notification Rule. These include the following:

• breaches of secured PHI, such as encrypted data without access to the key to unlock;

• unintentional (made in good faith) acquisition, access, or use of PHI by an authorized person not resulting in further disclosure or use;

• inadvertent disclosure of PHI by an authorized person to another equally authorized person within the organization; and

• when a covered entity or business associate disclosed PHI and has good faith that it was not retained by the person disclosed to.

The HHS website lists all active investigations from the past 24 months into health care breaches that affect at least 500 people. The site also provides the regulations requiring them and clarifies the reporting process.

Covered health care organizations are responsible not only for their own operations in assuring information security but also for the performance of all subcontractors and third-party vendors.

Data security is both a legal and an ethical responsibility for health care organizations. Federal and state laws are clear about those legal requirements. It is also part of the organizations’ missions and commitments to the communities they serve. Data breaches are an increasing threat to those responsibilities. As the health care world continues to move toward more and more technology in information management, security challenges will continue to grow.

Breaches can be extremely expensive for a health care organization, both financially and in damage to its reputation. According to the HIPAA Journal, the average cost to an organization for a data breach is $9.42 million in mitigation efforts. The average cost per incident is $4.24 million. In addition, there may be very significant federal and state fines/sanctions. The cost of the loss of trust from the community is incalculable.

Most health care data breaches in the United States happen as a result of hacking or IT-related incidents. The most common health care data breaches are attributed to the following:

• passwords that are not strong or sharing of passwords;

• the use of software that has not been properly vetted or tested;

• IT settings that are not updated on a regular basis;

• physical theft of computers, laptops, or cell phones;

• cyber attacks;

• phishing scams;

• downloads and opening of emails that contain viruses; and

• careless attention to data security policies and procedures.

Another issue in connection with data breaches is the increase in employees working remotely. Since COVID, many workers have been moved home to work and the risk of cyberattacks has increased significantly. Remote work is definitely here to stay; therefore, health care organizations must increase the education and monitoring of the remote work force. According to IBM’s Cost of a Data Breach Report, 5% of the data breaches involved remote workers. It also takes longer to identify these types of data breaches.

The most common information that is stolen is patients’ names, dates of birth, Social Security numbers, phone numbers, and addresses.

Health care organizations are targets for cybercrime because of the enormous amounts of PHI that they use and maintain throughout their operations, from large health systems down to individual professional providers. That information is extremely valuable to the cyber-criminal but can also be the target of mischievous or curious hackers.

Data breaches can be very profitable for attackers. These attackers seek health care data to compromise identities, steal money, or sell the information. The theft can also be used in ransom demands.

Data breaches can occur for a number of reasons, including accidents, but targeted attacks are typically carried out in the following four ways:

• Exploiting system vulnerabilities. Out-of-date software can create a hole that allows an attacker to sneak malware onto a computer and steal data.

• Weak passwords. Weak and insecure user passwords are easier for hackers to guess, especially if a password contains whole words or phrases. That’s why experts advise against simple passwords and in favor of unique, complex passwords.

• Drive-by downloads. One could unintentionally download a virus or malware by simply visiting a compromised web page. A drive-by download will typically take advantage of a browser, application, or operating system that is out of date or has a security flaw.

• Targeted malware attacks. Attackers use spam and phishing email tactics to try to trick the user into revealing user credentials, downloading malware attachments, or directing users to vulnerable websites. Email is a common way for malware to end up on your computer. Avoid opening any links or attachments in an email from an unfamiliar source. Doing so can infect your computer with malware. And keep in mind that an email can be made to look like it comes from a trusted source, even when it’s not.

The HIM Professional’s Role
HIM professionals play a very important role in the organization as part of the leadership team to keep information security a high priority in all decisions at all levels, but especially in the HIM and IT departments. What do health care organizations’ employees and the general public need to do at a personal level to protect their health and general information?

• Use strong, secure passwords. Passwords should not be shared. The same passwords should not be used for multiple accounts.

• Secure cell phones.

• Use only secure URLs. Reputable sites begin with https://. The “s” for “secure” is key.

• Wipe your hard drive. If you are recycling your old computer, make sure that you clear your hard drive prior to disposal. The same goes for your smartphones and tablets.

• Avoid oversharing on social media. Never post anything pertaining to sensitive information, and adjust your settings to make your profiles private.

Health care organizations must stay ahead of the IT components of data breaches. Crime from online attacks will most likely increase significantly in 2023. Let’s hope that the work of HIM professionals and other health care leaders will minimize them, keeping their patients and communities safer.

— Diane E. Ferry, MS, RHIA, is an associate with ScanSTAT Technologies. She was president and CEO of Star-Med LLC for 22 years.