Hacking was a top concern last year for covered entities, and it was the leading cause for the largest healthcare data breaches in 2015. Healthcare cybersecurity measures are becoming a top priority for organizations of all sizes, as third-party hackers
However, the first few months into 2016 are showing a slightly different trend, with results from the Department of Health and Human Services (HHS) indicating that stolen devices and improper disposal are the top threats currently facing the industry.
The top five healthcare data breaches of this year so far do not involve hacking or an IT incident, according to the HHS Office for Civil Rights (OCR) data breach reporting tool. Instead, theft, loss, improper disposal, and unauthorized email access or disclosure have caused the largest incidents in 2016.
Medical records found on Florida street
Radiology Regional Center in Florida notified patients of a possible healthcare data breach after some paper records were found on a street on December 19, 2015.
OCR’s data breach reporting tool lists 483,063 individuals as potentially being affected.
Radiology explained in its online statement that “a small quantity of records” fell onto the street while being transported by Lee County Solid Waste Division, which is responsible for the disposal of Radiology patient records.
Patient names, addresses, phone numbers, Social Security numbers, dates of birth, health insurance numbers, other medical status and assessment information as well as some financial information may have been exposed.
“As a result of our numerous searches, we believe that virtually all of the records were retrieved. To ensure an incident like this does not happen again, we have taken steps to change how paper records are transported and destroyed,” the statement explained. “Lee County Solid Waste Division will no longer be responsible for transporting our records for disposal.”
Missing laptop creates Premier Healthcare data security incident
Indiana-based Premier Healthcare, LLC reported earlier this month that a laptop was stolen from its billing department.
The device went missing on December 31, 2015, but was returned to Premier around March 7, 2016. Moreover, Premier determined through forensic analysis that the laptop had not been turned on since it went missing.
Approximately 205,000 individuals were possibly affected, according to the OCR breach reporting tool.
“Based on the forensic analysis and other circumstances of this case, there is no evidence that information on the computer was ever accessed causing a breach by any unauthorized third party,” Premier explained in an online statement.
Patient records found in dumpster
Community Mercy Health Partners (CMHP) reported earlier this year that patient records were found in a dumpster on November 27, 2015.
CMHP concluded that one of its vendors had disposed of lab records by placing them in the dumpster on November 25, 2015.
Patients’ names, physicians’ names, accession numbers, types of study, guarantor information, health insurance information, diagnoses, and other clinical information may have been exposed, according to CMHP. Social Security numbers and driver’s license numbers may also have been included in some instances.
The OCR reports that 113,528 individuals were impacted.
“To help prevent this from happening in the future, we have taken steps to re-inventory all document storage locations, significantly reduced or eliminated retention of paper documents when the information is electronically available, and re-educated our facilities management contractors on the requirements for physical storage relocation projects,” CMPH said in a statement.
Washington State facility breach affects 91K patients
Just over 91,000 individuals were affected by a potential healthcare data breach at the Washington State Health Care Authority (HCA).
HCA reported that one of its employees had mishandled patient information from Apple Health (Medicaid), a provider of free healthcare for low-income individuals.
Two HCA employees allegedly improperly exchanged patient information from Apple Health when one of the employees was helping the other with a spreadsheet problem. However, both employees state that the information was not used for additional purposes.
“While we have no indication that the client files went beyond the two individuals involved, Important privacy laws were violated and we are exercising caution and due diligence given the nature of the information,” explained HCA Risk Manager Steve Dotson.
Laptop theft affects 52K individuals in Kansas
Kansas-based Valley Hope Association recently reported that a work-issued laptop was stolen from an employee’s car on December 30, 2015.
While Valley Hope did not state how many individuals were affected by the security breach, however the OCR data breach tool lists 52,076 individuals as possibly being affected.
The theft was immediately reported, according to Valley Hope, and the non-profit explained that it launched an investigation once it was made aware of the incident.
“We also disabled the laptop’s network connection capabilities, disabled the employee’s access credentials, and confirmed that our network systems were not accessed by the laptop since the employee’s last valid access before the laptop was stolen,” Valley Hope explained in its statement.
Patient names paired with one or more personal identifiers may have been exposed. These include Social Security numbers, dates of birth, addresses, phone numbers, state identification or driver’s license numbers, physician name, treatment and treatment location, diagnoses, medical record numbers, disability codes, usernames and passwords, tax identification numbers, patient account information, health insurance information, financial information, and medical information.
What does 2016 hold in terms of healthcare data breaches?
Does this mean that third-party hacking will not be an issue this year? Can hospitals and healthcare providers devote less time in teaching employees about phishing scams?
The short answer is no, absolutely not. These results do show that covered entities cannot expect just one type of attack. Data security plans need to account for numerous types of breaches, whether it is an incident stemming from an employee or an unauthorized third-party.
There is no indication that healthcare data breaches, or specifically third-party attacks are going to slow down anytime soon, HIMSS Analytics Executive Vice President Blain Newton told HealthITSecurity.com.
“If anything, I think it’s going to accelerate,” he explained. “There are vulnerabilities, and there’s not the investment from a health system level, or a governmental level, or any other level that is adequate to protect against it now.”
Conducting regular risk assessments and ensuring that a well-rounded and current risk management plan in place will also be greatly beneficial, as KPMG Partner Michael Ebert said at HIMSS16.
Incident response is very important, Ebert explained, adding that it truly is not a matter of if a healthcare organization will be attacked but it is a matter of when an organization will be attacked.
“Some of the major breaches last year were handled very well, for how people were notified,” he said. “And then you see how others acted, and they clearly didn’t have a good incident response package.”
Overall, covered entities and their business associates must ensure that they are prepared for numerous types of data security incidents. Both cyber attacks and a lost laptop could expose sensitive patient information, which is why organizations must have a plan to mitigate risk for both types of scenarios, as well as everything else in between.