Last year, the healthcare sector experienced a record-breaking number of data breaches, underscoring the importance of staunch security. Over the course of 2016, the industry saw 40 percent more breaches than it had the year previous, totaling 1,093 incidents. As Healthcare Informatics contributor Rajiv Leventhal pointed out, these events shine a light on "troubling data security trends [that] continue to plague the sector."
However, data breaches can teach other healthcare institutions and covered entities a thing or two about HIPAA compliance and overall security best practices. Today, we're counting down the three worst breaches to take place in the healthcare sector recently, and highlighting the lessons these instances impart.
3) New York-Presbyterian Hospital and Columbia University
This incident makes our list not only due to the circumstances involved in the breach, but the considerable $4.8 million HIPAA settlement the hospital and university paid.
According to Modern Healthcare, this event began in 2010 when a complaint was filed by an individual who came across the sensitive healthcare information of a deceased partner online. It was soon discovered that a breach had taken place, and that the attack not only impacted this deceased patient and their family, but 6,800 other patients as well.
The resulting investigation showed numerous compliance issues, the root of which was a lack of security safeguards to support secure access. A university-employed physician seeking to deactivate a personal server connected to the hospital and university's joint network ultimately opened the door for attack.
"Because of a lack of technical safeguards, deactivation of the server resulted in ePHI (electronic protected health information) being accessible on Internet search engines," the Office for Civil Rights stated.
The takeaway: There are several lessons to be learned from this event, including the importance of working in tandem with other organizations to ensure compliance. In this case, both the university and hospital were responsible for paying the settlement amount, with the hospital contributing $3.3 million.
"Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems," OCR deputy director Christina Heide said.
What's more, this incident shines a light on the importance of access controls and device management. Because a personal server was able to be connected to the network and accessed without proper safeguards in place, sensitive patient data was exposed.
2) Advocate Health Care
The runner-up on our list is an Illinois-based healthcare provider that ultimately paid the largest HIPAA settlement seen to date. According to Becker's Health IT & CIO Review, an investigation was launched after Advocate Health Care submitted three breach reports associated with its subsidiary, Advocate Medical Group. The breaches stemmed from office theft, where four laptops were taken, as well as an external intrusion into the organization's network.
The resulting events compromised the sensitive information of 4 million patients, exposing their names, addresses, payment card details, birthdates and other health and insurance data. And while a considerable amount of information was compromised because of an office and employee vehicle break-in, the OCR noted that Advocate did not properly:
- Assess risks to healthcare data.
- Prevent physical access to its IT infrastructure.
- Encrypt the sensitive information on an employee's laptop.
As a result, Advocate paid a $5.55 million settlement, the largest ever handed down by the OCR. Although thieves stole company-owned devices, improper security controls led to a breach of Advocate Health Care patient data.
The takeaway: This event shows how critically important it is to prevent unauthorized access to the systems and devices used to store protected patient information. Because laptops were stolen and at least one did not have encryption in place, it wasn't difficult for hackers to obtain access to valuable patient details.
Organizations should appropriately pinpoint and mitigate risks to the sensitive information they deal with, including putting security measures like encryption in place to ensure that only authorized individuals can access patient details.
1) TRIPLE-S Management Corporation
The top spot on our list goes to a Puerto Rico-based insurance holding company. TRIPLE-S was fined $3.5 million for significantly widespread non-compliance after five data breaches took place from 2010 to 2015. While these events impacted fewer than 500 individuals, TRIPLE-S's problematic security practices provided multiple avenues for hacker intrusion.
The OCR investigation showed that the proper safeguards weren't implemented to protect patient data at administrative, physical and technical levels. What's more, patient data was improperly disclosed to an external vendor, and an accurate risk assessment was never performed.
The takeaway: The lesson here is clear - it's imperative to follow all the rules and addressable implementations included in HIPAA and its Security Rule. These measures are put in place for a reason, and failure to follow them can have considerable repercussions for an organization and its clients.
Data breaches are an inevitable part of today's cybersecurity landscape, but efforts to secure data as part of HIPAA compliance can help mediate these risks.
You can learn more about HIPAA compliance by downloadinig our whitepaper here, or if you're ready to talk to an expert, Hostway security and compliance experts are available 24X7X365. Call (+1.866.680.7556) or chat now.