- Last year is often referred to as the “Year of the Hack” for healthcare, with the majority of healthcare data breaches being caused by third-party cyber attacks. The top three incidents alone combined to potentially affect nearly 100 million individuals, and were all involved hacking.
So far, 2016 is not immune from healthcare data breaches, but the leading cause of incidents is unauthorized access, according to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach reporting database.
There have been 114 incidents reported to OCR between Jan. 1, 2016 and June 1, 2016. Of those, 47 were classified as being caused by unauthorized access or disclosure. The rest of the classification breakdown is as follows:
- 34 - hacking/IT incident
- 26 - theft
- 5 - loss
- 2 - improper disposal
However, the largest healthcare data breach so far this year was due to a hacking incident.
21st Century Oncology
21st Century Oncology announced earlier this year that one of its databases was inappropriately accessed by an unauthorized third party. According to OCR, 2,213,597 individuals were potentially affected by the incident.
The organization was notified on November 13, by the FBI that the incident took place. 21st Century said it “immediately hired a leading forensics firm to support [the] investigation, assess [its] systems and bolster security.”
The forensics firm then determined on the intruder may have accessed the database on October 3, 2015.
“We continue to work closely with the FBI on its investigation of the intrusion into our system” 21st Century said. “In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.”
Approximately 483,000 individuals were affected by the Florida-based Radiology Regional Center data breach. The incident occurred when paper records were found on a street on December 19, 2015, and was reported to OCR on February 12, 2016.
Patient names, addresses, phone numbers, Social Security numbers, dates of birth, health insurance numbers, other medical status and assessment information as well as some financial information may have been exposed.
Radiology said in a statement that “a small quantity of records” fell onto the street while being transported by Lee County Solid Waste Division, which is responsible for the disposal of Radiology patient records.
California Correctional Healthcare Services
California Correctional Healthcare Services reported in May that PHI may have been exposed for patients in the California Department of Corrections and Rehabilitation, who were incarcerated between 1996 and 2014.
The OCR database states that 400,000 individuals were potentially affected.
An unencrypted work laptop was reportedly stolen from an employee’s personal vehicle, but the organization maintained that the device was password-protected.
“CCHCS [California Correctional Healthcare Services] is committed to protecting the personal information of our patients,” said Director of Communications and Legislation Joyce Hayhoe in a press release. “Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.”
Premier Healthcare, LLC
Indiana-based Premier Healthcare, LLC reported a potential healthcare data breach affecting 205,748 individuals, according to OCR.
The incident occurred when a laptop was stolen from the organization’s billing department.
Premier explained in a statement that the device went missing on December 31, 2015, but was returned around March 7, 2016.
“Based on the forensic analysis and other circumstances of this case, there is no evidence that information on the computer was ever accessed causing a breach by any unauthorized third party,” Premier stated.
Community Mercy Health Partners
Ohio-based Community Mercy Health Partners (CMHP) reported in January that it had experienced a potential healthcare data breach on November 27, 2015 when patient records were discovered in a recycling bin.
CMHP stated that it believed one of its vendors disposed of lab records by placing them in the dumpster on November 25, 2015.
Potentially exposed information may have included patients’ names, physicians’ names, accession numbers, types of study, guarantor information, health insurance information, diagnoses, and other clinical information. Social Security numbers and driver’s license numbers may also have been included in some instances.
“To help prevent this from happening in the future, we have taken steps to re-inventory all document storage locations, significantly reduced or eliminated retention of paper documents when the information is electronically available, and re-educated our facilities management contractors on the requirements for physical storage relocation projects,” CMHP said in a statement.
With healthcare ransomware cases seemingly being reported more frequently this year, covered entities and business associates need to ensure that they are creating comprehensive approaches to data security.
Employees need to be trained in proper disposal methods, as well as how to identify potential phishing scams. It is also essential to have staff members at all levels educated on physical, technical, and administrative safeguards. Even with technology evolving, a laptop theft could still lead to a devastating healthcare data breach.