Email is now the top source of healthcare breaches

Writing in Modern Healthcare, Reporter Jessica Kim Cohen noted that since 2010, nearly 200 million people in the U.S. had their health information exposed in data breaches. And, she added, that number’s only going up.

Citing Federal Data, Cohen reported that in 2018 alone, 13 million people had their health data exposed in 366 breaches. That was an increase of 2% from 2017’s report of 359 breaches that providers, health plans and their business associates reported.

Why is email so exposed?

According to Cohen, since 2017, email has been the primary outlet through which health data is exposed. That year, there were 85 email breaches—more than double the number reported in 2016—accounting for nearly one-quarter of all healthcare breaches.

At issue is that more data is circulating electronically. Previously, most healthcare organizations and their business associates attributed breaches to the theft of paper records or laptops. Many of the email breaches are the result of phishing tactics in which hackers obtain sensitive data by posing as a trusted entity, such as the recipient’s employer. 

The cost of HIPAA compliance failure can be steep

Writing in The National Law Review, Von Briesen attorneys Stacy Gerber Ward and Madeline Schmid reported that penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) are getting stiffer. Providers may be trying to comply by implementing HIPAA policies and procedures, but, they say, the enforcement trends suggest the growing importance of rigorous audits and enforcement of those policies.

The pair noted the following breaches resulting in consequences of significance:

1. University of Texas MD Anderson Cancer Center (MD Anderson) pays nearly 4.4 million. An administrative law judge found that MD Anderson violated HIPAA’s Privacy and Security Rules and ordered the provider to pay $4,348,000 in civil money penalties. The Office for Civil Rights (OCR) investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop of an MD Anderson employee and the loss of two unencrypted USB drives containing the electronically protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the policies and risk analysis findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 and failed to encrypt its inventory of electronic devices containing ePHI until 2013.
2. Massachusetts MD lets pharma rep access data. A physician in Massachusetts pleaded guilty to a misdemeanor count of wrongful disclosure of individually identifiable health information in violation of HIPAA. The physician allowed a pharmaceutical sales representative to access the confidential medical information of patients to identify potential candidates for one of the pharmaceutical company’s drugs.

Vigilance matters in compliance

According to Gerber Ward and Schmid, one of the hallmarks of an effective compliance program is to regularly engage in risk assessments, follow enforcement trends, and then evaluate whether your organization is at risk. They conclude that while for many years providers have been focused on implementing HIPAA policies and procedures, the enforcement trends suggest that the focus needs to shift to ensuring that those policies and procedures are monitored and enforced to avoid exposure to increased penalties.

Regardless of industry or in some cases, geography (Healthcare/Financial Services/Insurance – in the US or Canada), no one is immune from oversight and regulatory compliance. Nor is it possible to completely eliminate bad actors. However, a vigilant, well-run compliance system can spot irregularities and give an attentive compliance team a chance to nip exposures before they get out of hand. That’s where Patrina can help. We’ve built our business based on helping organizations keep track of “bad apples,” and stay on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s cost-effective, designated third-party services, our comprehensive 8-module compliance solution, and compliant data capture & archiving, and records archiving specifically designed for the healthcare, insurance, and financial services community. Be smart. Be covered.Let’s talk.