Healthcare Data Privacy

Data Breach Lawsuit Against Excellus BCBS Survives Motion to Dismiss, in Part

Posted by HIPAA Journal

A lawsuit filed by plaintiffs whose ePHI was exposed as a result of a cyberattack on Excellus BlueCross BlueShield has survived a motion to dismiss, in part. The United States District Court of the Western District of New York has both granted, in part, and denied, in part, the motions to dismiss.

The hacking of Excellus BlueCross BlueShield in 2013 resulted in the exposure of the protected health information of more than 10 million health insurance subscribers. The data breach was discovered in 2015, some 20 months after access to members’ data was first gained.

Following the discovery of the cyberattack, Excellus hired cybersecurity firm Mandiant to conduct a forensic analysis which revealed malware had been installed on the network. While the malware could potentially have resulted in the theft of PHI, no evidence of data exfiltration was discovered, although the possibility that data was stolen could not be ruled out.

Multiple lawsuits were filed against Excellus BCBS, which were consolidated into one case – Matthew Fero, et al., vs Excellus Health Plain Inc.

The plaintiffs allege Excellus was negligent for failing to implement sufficient measures to safeguard the confidentiality, integrity and availability of their electronic protected health information. The plaintiffs also allege breach of implied covenant of good faith and fair dealing, breach of contract, third-party beneficiary breach of contract for the Federal Employee class, negligent misrepresentation, unjust enrichment, violations of state consumer protection laws, violation of the California Customer Records Act, and violations of state insurance personal privacy statutes.

Many lawsuits are filed following healthcare data breaches even though actual losses have not been suffered. Plaintiffs claim that the theft of data places them at a future risk of harm. However, in this case, a number of plaintiffs claim they have suffered actual losses as a direct result of the breach.

Four plaintiffs allege fraudulent tax returns were filed in their names, three allege they suffered identity theft, while twelve allege they have been victims of credit/debit card fraud. All said they had to spend time mitigating risk and that they suffered anxiety and fear of identity theft as a direct result of the breach. All claim they face a future risk of harm as a result of the cyberattack.

Excellus filed two motions to dismiss the lawsuit for lack of standing and failure to state a claim. Excellus sought to dismiss the lawsuit for lack of standing with two separate arguments. First, four plaintiffs did not allege they suffered any misuse of their personally identifiable information due to the cyberattack. Second, the remaining sixteen defendants failed to allege facts to establish that the harm suffered was traceable to the Excellus cyberattack.

United States District Judge Elizabeth A. Wolford ruled that the two motions to dismiss were both granted and denied, in part.

For the plaintiffs that did not allege they had suffered actual harm or losses as a result of the cyberattack, the claims were dismissed without prejudice, although in all other respects the motion to dismiss was denied.

The motion to dismiss for the failure to state a claim was granted, in part, with respect to the claim for breach of the implied covenant of good faith and fair dealing, the negligent misrepresentation claim, the CCRA claim, and NJIPPA and NCCIPA claims, which were dismissed with prejudice, with the exception of the plaintiffs’ claim of breach of the implied covenant of good faith of fair dealing, which may be pursued as part of the breach of contract claim. The plaintiffs’ will be allowed to replead the negligent misrepresentation claim. The claim for misrepresentation was dismissed as none of the plaintiffs alleged they had actually read the privacy and security notices prior to taking out
insurance.

The ruling follows many similar cases, in that the claims for future losses were deemed too speculative. Due to the volume of healthcare data breaches that are now being discovered, it is increasingly common for defendants to argue that alleged losses are not traceable to a specific breach. In this case, Judge Elizabeth Wolford ruled that Excellus’s arguments that the alleged identity theft and other instances of data misuse could not be traced to the 2013 cyberattack had failed, and that the alleged losses were fairly traceable to the cyberattack.

The post Data Breach Lawsuit Against Excellus BCBS Survives Motion to Dismiss, in Part appeared first on HIPAA Journal.

AHIMA Published New Resource Confirming Patients PHI Access Rights under HIPAA

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data.

Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI.

AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data.

AHIMA has explained to whom healthcare providers are allowed to disclose the information: Patients or a nominated personal representative. In the case of the latter, guidance has been issued on who that person may be.

There are various models that can be adopted by healthcare providers for charging patients for copies of PHI. While the actual cost for providing copies of medical records may not be provided at the time the request is made, healthcare providers must advise patients of the approximate cost at the time the request is made. AHIMA points out that if electronic health data is being provided via a patient portal, a charge will not apply.

Since HIPAA serves to protect patient privacy, healthcare providers are required to verify the identity of the person making the request or a personal representative if one is used. A healthcare provider will therefore require a photographic ID to be produced prior to any records being released. A waiver will also need to be signed verifying identity.

AHIMA explains that obtaining copies of medical records is important. Access to health data improves patient engagement and empowers them to make more informed choices about their healthcare.

While providers should be able to obtain health data from other providers, that process is not always straightforward due to data incompatibility issues. It is therefore important that patients have complete copies of their medical records so they can provide complete sets to new providers. Doing so improves the coordination of care.

Patients should also check their health records for any errors and omissions – known allergies for instance. If an error or omission is discovered, a request to change the records should be submitted to the appropriate healthcare provider.

The AHIMA slideshow can be viewed here. Further information for patients on medical record access can be found in an accompanying blog post.

Penalties for Failing to Provide Patients with Copies of their Medical Records

Healthcare providers should be aware that failure to provide patients with copies of their medical records can result in a financial penalty for non-compliance with HIPAA Rules.

41 patients of Cignet Health of Prince George’s County in Maryland were denied access to their medical records and complained to OCR. The investigation revealed that the HIPAA Privacy Rule had been violated. Cignet eventually settled with OCR for more than $4.3 million.

AHIMA recommends that healthcare providers regularly review their policies and procedures for providing patients with copies of their medical records. Many healthcare providers have unintended barriers in place that make it difficult for patients to exercise their right to access their health data. Only by understanding HIPAA Rules on patient PHI access rights – and ensuring HIPAA Rules are followed – will healthcare providers be able to ensure that their patients enjoy the benefits that come from them taking a more active role in their healthcare.

The post AHIMA Published New Resource Confirming Patients PHI Access Rights under HIPAA appeared first on HIPAA Journal.

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

Posted by HIPAA Journal

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks.

While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework.

While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations.

The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more streamlined assessment approach, is easier to understand, yet will still help smaller healthcare organizations with their risk management and compliance efforts.

To develop the pilot CSFBASICs program, HITRUST collaborated with small businesses and the physician community. The pilot is now in the final phase and HITRUST expects to make the CSFBASICs program widely available by Q3, 2017.

Dr. J. Stefan Walker of Corpus Christi Medical Associates (CCMA), a Corpus Christi, TX-based five-physician primary healthcare practice, explained the problem, “I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA.” Walker went on to say, “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”

Enhancements Made to HITRUST CSF and CSF Assurance Program

 

In addition to the CSFBASICs program, HITRUST has also announced that it has enhanced its HITRUST CSF programs (V8.1 and V9) along with the supporting HITRUST CSF Assurance Program (V9). The updates include new guidance and better assurance and support for healthcare organizations to help them deal with the increase in cyber threats and to improve resilience against those threats.

HITRUST (and the HITRUST CSF Advisory Council) sought input from healthcare industry stakeholders on potential changes and updates to the framework. From the comments received, a number of enhancements have now been made.

HITRUST CSF v8.1, which was made available on February 6, 2017, includes updated content and support for PCI DSS v3.2 and MARS-E v2. The CSF Assurance Program V9 has been enhanced with the HITRUST CSF Assessment also including a NIST Cybersecurity Framework certification, a HIPAA risk assessment and auditable documentation.

HITRUST CSF v9 update includes the latest OCR Audit Protoco (v2), FEDRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook for Information Security. The updated version is not expected to be available until July, 2017. That will give HITRUST time to harmonize the new requirements of the program with the current program to ensure that the changes to not overly add to the complexity of the framework.

The post Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management appeared first on HIPAA Journal.

Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles

Posted by HIPAA Journal

Theft, hacking, ransomware, and improper ePHI access by employees – The past few days have seen a diverse range of healthcare data breaches reported.

St. Joseph’s Hospital and Medical Center in Arizona, Family Service Rochester of Minnesota, and the University of North Carolina have all reported potential breaches of patients’ ePHI, while Lexington Medical Center in South Carolina has announced that the sensitive data of its employees have been viewed.

University of North Carolina Reports Theft of Dental Patients’ ePHI

A laptop computer and a SD memory card from a digital camera have been stolen from the car of a postgrad dental resident of the University of North Carolina School of Dentistry. While the devices should have had a number of security measures installed to prevent improper data access, UNC has been unable to confirm whether that was the case. The breach may have resulted in the exposure of around 200 patients’ personal information including full face photographs (without any other PHI), names, dates of birth, dental record numbers, treatment plans, dental and health histories, and referral letters including contact information.

Affected patients have been offered one year of credit monitoring services, staff have been retrained on the proper procedures for storing patient health information and disciplinary sanctions have been imposed on the individual who had been issued with the devices.

Family Services Rochester: Systems Hacked; ePHI Potentially Viewed; Data Encrypted

Family Services Rochester in Minnesota has discovered that some of its systems were compromised by a hacker. The accessed part of its computer system contained a range of sensitive electronic information including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical insurance numbers and medical information.

Access to the computer system was first gained on December 26, 2016 and continued until January 25, 2017, when the attacker installed ransomware that encrypted a range of sensitive data. The incident is being investigated internally and by law enforcement and affected individuals have been offered credit monitoring services to protect them against identity theft.

St. Joseph’s Hospital and Medical Center Breach: Improper Access by Employee

The electronic protected health information of 623 patients of Dignity Health’s St. Joseph Hospital and Medical Center in Phoenix, AZ., has been improperly accessed by one of the center’s employees. The part-time employee was discovered to have accessed the records of patients without any legitimate work purpose for doing so between October 1, 2016 and November 22, 2016. The types of data accessed include patients’ names, demographic data, diagnostic information, clinical information (including doctor’s orders) and medication records. No Social Security numbers or financial data were accessed. The employee in question is not believed to have accessed the records with malicious intent and patients are not believed to be at risk of identity theft.  Dignity Health says “appropriate action has been taken in response to the event.”

Lexington Medical Center – Employee Information Accessed by an Unauthorized Individual

Lexington Medical Center, in Lexington, SC., has discovered that a database – eConnect/Peoplesoft – containing the sensitive information of employees has been accessed by an unauthorized individual. The database contained the types of information criminals seek when sending W-2 Form phishing emails. In this case, the database does not appear to have been accessed as a result of an employee falling for such a scam. The data accessed includes the names and Social Security numbers of employees, but no patient information. Action has been taken to secure the database to prevent further access by unauthorized individuals.

Healthcare Data Breaches Reported to Office for Civil Rights in February 2017

Other recent healthcare data breaches reported to the Department of Health and Human Services Office for Civil Rights in February include:

 

Covered Entity Location Entity Type Records Breached Cause of Breach
Universal Care, Inc. DBA Brand New Day CA Health Plan 14,005 Unauthorized Access/Disclosure
Family Medicine East, Chartered KS Healthcare Provider 6,800 Theft
Walgreen Co IL Healthcare Provider 4,500 Unauthorized Access/Disclosure
Catalina Post-Acute Care and Rehabilitation AZ Healthcare Provider 2,953 Improper Disposal
Jeffrey D. Rice, O.D., L.L.C. OH Healthcare Provider 1,586 Theft
Benesch, Friedlander, Coplan & Aronoff LLP OH Business Associate 1,134 Unauthorized Access/Disclosure
Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service AZ Healthcare Provider 500 Unauthorized Access/Disclosure

The post Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles appeared first on HIPAA Journal.

Quarter of Americans Have Been Impacted by a Healthcare Data Breach

Posted by HIPAA Journal

Given the volume of healthcare records that have been exposed or stolen over the past two years, it comes as little surprise that 26% of Americans believe their health data have been stolen. The figures come from a recent survey conducted by Accenture.

The survey was conducted on 2,000 U.S. adults and more than a quarter said that their medical information has been stolen as a result of a healthcare data breach.

Healthcare information is attractive for cybercriminals as the information in health records does not expire. Credit card numbers can only be used for an extremely limited time before cards are blocked. However, Social Security numbers can be used for a lifetime and health insurance information can similarly be used for extended periods. The information can also be used for a multitude of nefarious activities such as tax fraud, identity and medical identity theft and insurance fraud.

It is also unsurprising that many victims of healthcare data breaches have reported suffering losses as a result of the theft of their data. According to Accenture, half of the individuals who said their data have been stolen said they have experienced medical identity theft as a result. The survey revealed that when medical identity theft occurs, out of pocket expenses of $2,500 are incurred on average.

The report shows half of the individuals who said their data have been stolen did not find out from a breach notification letter. They discovered they were a victim of a healthcare data breach after seeing charges on bank/credit card statements and suspicious entries on their Explanation of Benefits statements. Only a third of respondents said they were notified of the breach by the breached entity.

Even with record numbers of healthcare data breaches occurring, Americans still have faith in providers’ abilities to keep electronic protected health information secure. 88% of respondents said they trusted their providers to secure their ePHI. 85% said they trusted pharmacies, 84% trusted hospitals and 82% trusted health insurance companies. Healthcare technologies fared much worse (57%), as did government organizations (56%).

Businesses that experience data breaches know all too well that there is considerable fallout after a breach announcement is made. Many customers simply take their business elsewhere. That was clearly evident after the Target breach.

However, changing healthcare provider is less straightforward. That said, many breach victims said they did change healthcare provider or insurer after they were notified that their health information had been stolen. A quarter of breach victims said they had already changed healthcare provider following a data breach, while 21% said they had changed health insurance provider.

If a data breach or an attack is experienced, healthcare organizations should carefully assess what went wrong and how their cybersecurity defenses can be improved. Considering the impact healthcare data breaches have on patients and the considerable fallout following a data breach, healthcare organizations should ensure that their cybersecurity defenses are up to scratch to prevent data breaches from occurring in the first place.

The post Quarter of Americans Have Been Impacted by a Healthcare Data Breach appeared first on HIPAA Journal.

American Senior Communities Says 17,000 Employees Impacted by W-2 Scam

Posted by HIPAA Journal

American Senior Communities, a nursing home chain based in central Indiana, has announced that one of its employees responded to a W-2 phishing email and sent the tax information of more than 17,000 employees to tax fraudsters.

There have now been more than 70 organizations that have responded to W-2 Form phishing emails so far this year according to Databreaches.net, although the latest addition to the list is the largest confirmed breach of employee information to have occurred this year.

The massive haul of W-2 Form data included employees’ names, Social Security numbers, birth dates, and addresses. An investigation suggests that the individual behind the campaign was based offshore.

In many cases, organizations discover they have been scammed soon after the email has been sent, allowing rapid action to be taken to limit the harm caused. However, that was not the case here.

The phishing email was sent to a payment processor for American Senior Communities in mid-January; however, the incident was not discovered for a month.

The employee’s error was only identified on February 17 after some of the nursing home chain’s staff members had reported that they had attempted to file their tax returns for the previous fiscal year, only to have those claims rejected as a tax return had already been submitted in their name.

Once it became clear that the tax fraud was made possible because of the actions of an employee, the IRS was notified. The incident has also been reported to the Indiana Office of Attorney General, Law enforcement and the Indiana Department of Revenue. It is unclear how many of the 17,000 employees have already had tax returns filed in their name by fraudsters.

All employees affected by the incident have been offered free credit monitoring service to protect them against identity theft and further fraudulent use of their information.

The post American Senior Communities Says 17,000 Employees Impacted by W-2 Scam appeared first on HIPAA Journal.

Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam

Posted by HIPAA Journal

Another healthcare provider has announced that one of its employees has been fooled by a W-2 phishing scam. Citizens Memorial Hospital in Bolivar, MO., says a request for W-2 Form data was sent to one of its employees by email.

The employee responded to the request believing the message was legitimate and had been sent internally. W-2 Forms for all employees at the 86-bed hospital who had taxable earnings for the 2016 fiscal year were sent via email to the scammers as requested. No announcement has been made about the number of employees impacted by the incident. The hospital discovered it was the victim of a scam the following day.

The incident has been reported to both the FBI and the IRS and affected employees have been notified and offered 2 years of identity theft protection services without charge through Experian. The incident is not a HIPAA breach as HIPAA Rules do not apply to employee data.

To prevent repeat attacks, Citizens Memorial Hospital will be enhancing its data security education programs. Staff will receive further training to help them identify any further phishing scams sent via email.

The W-2 phishing scam has already claimed many victims this year. The scammers send an email to a member of the payroll/HR department requesting W-2 Form data for all employees who worked for the organization in 2016. The scammers usually impersonate the CEO/CFO and use an email address similar to that used by the targeted organization. Oftentimes, there is one letter missing from the domain part of the email address. A casual glance at the sender’s address is unlikely to reveal that the email is a scam. A careful check will reveal that the email account has been spoofed.

This type of scam was popular last tax season. There were at least 145 victims of the scam last year and tens of thousands of employees had their Social Security numbers, personal information, and earnings disclosed to tax fraudsters. Earlier this month, the IRS issued a warning to educational institutions, nonprofits, tribal organization and healthcare organizations about the W-2 phishing scam advising them to be on high alert.

Databreaches.net is tracking reports of W-2 Form phishing scams. There have already been 62 organizations that have announced they have been fooled by the W-2 phishing scam in 2017.

In addition to Citizens Memorial Hospital, the following healthcare organizations have reported that an employee responded to the scam and disclosed employee data:

  • Adventist Health, Tehachapi Valley, CA
  • Campbell County Health, WY
  • EHealthInsurance, CA
  • Point Coupee Hospital, LA
  • SouthEast Alaska Regional Health Consortium, AK

The post Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam appeared first on HIPAA Journal.

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

Posted by HIPAA Journal

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed.

Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using multiple cloud service providers. 38% of respondents said they had a multi-cloud environment and 63% of respondents said they were planning to use multiple cloud service providers in the future. 63% of healthcare organizations said they were using the public cloud to store data.

When asked about their main concerns, data security came top of the list – with 82% of surveyed healthcare organizations rating security as their number one concern. Despite the concerns about data security, encryption is not always employed.

As Eric Chiu, co-founder and president of HyTrust explained, “For these care delivery organizations, choosing a flexible cloud security solution that is effective across multiple cloud environments is not only critical to securing patient data, but to remaining HIPAA compliant.” However, the lack of encryption is a cause for concern.

Health Insurance Portability and Accountability Act (HIPAA) Rules permit the use of cloud services for storing and processing ePHI. However, before any cloud service is used, covered entities are required to conduct a comprehensive risk assessment to assess threats to the confidentiality, integrity, and availability of ePHI.

Covered entities must make sure that appropriate technical safeguards are employed to ensure the confidentiality of cloud-stored ePHI is preserved, and data encryption must be considered. If a decision not to use encryption for cloud-stored data is made, the reason for that decision must be documented, along with the alternative controls that are put in place to provide a similar level of protection.

HHS pointed out in last year’s cloud computing guidance for HIPAA-covered entities that encryption can significantly reduce the risk of ePHI being accessed, exposed, or stolen.  That said, HHS also explained that encryption alone is not sufficient to ensure the confidentiality, integrity, and availability of ePHI stored in the cloud.

Encryption may cover the confidentiality aspect, but it will do nothing to ensure that ePHI is always available, nor will it safeguard the integrity of ePHI. Alternative controls must be put in place to ensure ePHI can always be accessed, while access controls must be used to ensure the integrity of ePHI is maintained. The use of encryption alone to safeguard ePHI may therefore constitute a violation of the HIPAA Security Rule.

Healthcare organizations that choose to use cloud services provided by a separate entity must ensure that the cloud service provider is aware of its responsibilities with respect to ePHI. Cloud service providers are classed as business associates of covered entities, and as such, they are required to abide by HIPAA Rules. Healthcare organizations must obtain a signed business associate agreement from each cloud service provider used, if the service is used to store any ePHI. HHS has also explained that even if ePHI is stored in the cloud and the cloud service provider does not hold a key to decrypt the data, the cloud service provider is still classed as a HIPAA-business associate.

The post Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud appeared first on HIPAA Journal.

2016 Healthcare Data Breach Report Ranks Breaches By State

Posted by HIPAA Journal

A new 2016 healthcare data breach report has been released that analyzes incidents reported to the Department of Health and Human Services’ Office for Civil Rights last year. While other reports have already been compiled, this latest report – compiled by data loss prevention firm Safetica USA –  shows where those data breaches occurred and the states most affected by healthcare data breaches in 2016.

Data for the 2016 healthcare data breach report was taken from the Office for Civil Rights breach portal, which includes all reported breaches of more than 500 records. The data show that the states most affected by healthcare data breaches are those with the highest number of residents and highest number of healthcare providers.

The top ten states for healthcare data breaches were found to be:

  1. California – 39 breaches
  2. Florida – 28 breaches
  3. Texas – 23 breaches
  4. New York – 15 breaches
  5. Illinois, Indiana, & Washington – 12 breaches
  6. Ohio & Pennsylvania – 11 breaches
  7. Michigan – 10 breaches
  8. Arizona & Arkansas – 9 breaches
  9. Georgia & Minnesota – 8 breaches
  10. Colorado & Missouri – 7 breaches

The states least affected by healthcare data breaches in 2016 were:

  1. Idaho
  2. Maine
  3. North Dakota
  4. South Dakota
  5. Vermont
  6. West Virginia

HIPAA-covered entities based in each of those states survived 2016 without experiencing a data breach that impacted more than 500 individuals. Only one HIPAA breach impacting more than 500 individuals was reported last year by a HIPAA-covered entity based in Alaska, Delaware, Hawaii, New Hampshire, Nevada, Utah and Wyoming.

The five worst hit states in terms of the numbers of records exposed were as follows:

  1. Arizona – 4,524,278 records
  2. New York – 3,588,554 records
  3. Florida – 2,872,912 records
  4. California – 1,436,701 records
  5. Georgia – 782,956 records

The main causes of healthcare data breaches in 2016 were unauthorized access/disclosure, which accounted for 41.5% of breaches, followed by hacking/IT incidents (31.8%), theft (19%), loss (5.4%) and improper disposal (2.3%).

Theft of physical PHI and devices used to store electronic protected health information was significantly lower than in 2015 when theft accounted for 30% of reported data breaches. In 2015, unauthorized access/disclosure was cited as the cause of 38% of breaches, hacking/IT incidents accounted for 21.4% of breaches, loss of PHI and devices used to store ePHI was the cause of 8.3% of breaches, and improper disposal was the cause of 2.3% of breaches.

The post 2016 Healthcare Data Breach Report Ranks Breaches By State appeared first on HIPAA Journal.