HIPAA Breach News

35,800 Patients of The Otis R. Bowen Center for Human Services Notified About Email Security Breach

The Otis R. Bowen Center for Human Services, an Indiana-based provider of mental health and addiction recovery healthcare services, has announced that unauthorized individuals have gained access to the email accounts of two of its employees.

It is unclear when the email account breaches occurred and for how long unauthorized individuals had access to the email accounts. In its website substitute breach notification, The Otis R. Bowen Center said an independent digital forensic investigation revealed on January 28, 2020 that PHI had potentially been accessed as a result of the attack. The review of the accounts has now been completed to determine which patients have been affected and those individuals have been individually notified by main. No mention was made about the types of information that were potentially compromised.

The Otis R. Bowen Center said the investigation did not uncover any evidence to suggest that any PHI had been misused as a result of the breach but, out of an abundance of caution, affected individuals have been offered complimentary membership to credit monitoring and identity theft protection services through Kroll.

In response to the breach, The Otis R. Bowen Center has taken steps to improve email and network security and is working closely with leading cybersecurity experts to improve the security of its digital environment.

The Department of Health and Human Services’ breach portal indicates the compromised email accounts contained the protected health information of 35,804 patients.

Phishing Attack Reported by University of Minnesota Physicians

University of Minnesota Physicians has discovered two employee email accounts have been compromised as a result of responses to phishing emails. In each case, the phishing attacks were detected shortly after the email accounts were compromised and action was taken on January 31, 2020 and February 4, 2020 to secure the accounts.

An unauthorized individual had access to one account for less than two days, and the second account was accessible only for a few hours.

A comprehensive investigation was conducted by third-party computer forensics experts, but it was not possible to determine if any emails in the accounts were viewed or copied by the attackers.  A review of the email accounts was conducted by third-party specialists who determined the email accounts contained patient names, telephone numbers, addresses, dates of birth, demographic information (race, gender, ethnicity), Social Security numbers, insurance ID numbers, location of treatment, provider names, limited medical history information, and case numbers.

UMPhysicians started sending notification letters to affected individuals on March 30, 2020 and is offering complimentary membership to credit monitoring and identity theft protection services through Kroll for 12 months.

UMPhysicians said multiple email security controls were in place at the time the email accounts were attacked, including multi-factor authentication. Employees had also been provided with security awareness training and phishing simulation exercises are regularly conducted.

Refresher training has now been provided to employees and UMPhysicians is looking into measures that can be implemented to further improve email security.

The OCR breach portal indicates 683 patients were affected by the breach.

The post 35,800 Patients of The Otis R. Bowen Center for Human Services Notified About Email Security Breach appeared first on HIPAA Journal.

Ransomware Attacks Reported by Stockdale Radiology and Affordacare Urgent Care Clinics

Stockdale Radiology in California has announced that patient data has been compromised as a result of a ransomware attack on January 17, 2020.

An internal investigation confirmed that the attackers gained access to patients’ first and last names, addresses, refund logs, and personal health information, including doctor’s notes. Stockdale Radiology said a limited number of patient files were publicly exposed by the attackers.  Stockdale Radiology also discovered on January 29, 2020, that further patient information may have been accessed, but has not been publicly disclosed.

Systems were immediately shut down to prevent any further unauthorized data access and a third-party computer forensics firm was engaged to investigate the breach and determine how access was gained and who was affected. The FBI was immediately notified about the attack and arrived at Stockdale Radiology within 30 minutes. The FBI investigation into the breach is ongoing.

In response the attack, Stockdale Radiology has conducted a review of internal data management and its security protocols and has taken steps to enhance cybersecurity to prevent further attacks in the future.

According to the breach report on the HHS’ Office for Civil Rights website, 10,700 patients were affected by the breach.

Affordacare Urgent Care Clinics Suffer Ransomware Attack

Abilene, TX-based Affordacare Urgent Care Clinics has started notifying patients that some of their protected health information may have been compromised as a result of a ransomware attack. The attack was discovered on February 4, 2020 and is believed to have started on or around February 1, 2020.

An analysis of the breach revealed the attackers gained access to its servers and deployed Maze ransomware. Prior to deploying the ransomware, the attackers downloaded patient information. Some of that data has been publicly exposed.

The types of data on the compromised servers included names, addresses, telephone numbers, ages, dates of birth, visit dates, visit locations, reasons for visits, health insurance provider names, health insurance policy numbers, insurance group numbers, treatment codes and descriptions, and healthcare provider comments.  No financial information, electronic health records, or Social Security numbers were compromised.

Affected individuals have been offered complimentary credit monitoring, identity theft protection, and identity recovery services.

Improper Disposal Incident Reported by Georgia Department of Human Services

The Georgia Department of Human Services has announced that staff in Augusta, GA improperly disposed of boxes of confidential case files containing the records of individuals who received services from the Division of Family & Children Services (DFCS) before June 12, 2017 and individuals who received services from the Division of Aging Services (DAS) before 2017.

After being alerted to the incident, immediate action was taken to recover the boxes to prevent them from being accessed by unauthorized individuals. The Georgia Department of Human Services does not believe the files were accessed by unauthorized individuals during the time the files were left unprotected. All affected patients are being notified about the breach and policies and procedures are being reviewed to prevent similar incidents in the future.

According to the breach summary on the HHS’ Office for Civil Rights breach portal, the files contained the records of up to 500 individuals.

Email Error at NeoGenomics Impacts 911 Patients

NeoGenomics is alerting 911 patients that some of their PHI has been accidentally disclosed to an unauthorized individual.

On January 28, an employee was communicating with a patient about completing and returning a form to NeoGenomics and accidentally attached and sent the wrong Excel spreadsheet. The spreadsheet sent to the patient included data of patients who had laboratory tests performed between January 2018 and October 2019.

The spreadsheet contained patients’ first and last names, dates of birth, and the name of the tests performed by NeoGenomics. The results of the tests were not included in the spreadsheet and no other information was impermissibly disclosed. The error was reported to NeoGenomics by the patient, who confirmed in writing that the spreadsheet has been deleted.

Out of an abundance of caution, NeoGenomics has offered affected individuals complimentary credit monitoring services. NeoGenomics reports that the individual who made the error has been retrained and the workforce has been instructed to check documents and spreadsheets to ensure they are correct before being sent via email.

The post Ransomware Attacks Reported by Stockdale Radiology and Affordacare Urgent Care Clinics appeared first on HIPAA Journal.

California Business Associate Reports Potential Breach of Upwards of 70,000 Records

Stephan C Dean, the co-owner of a California record storage firm Surefile, reported a hacking/IT incident to the HHS’ Office for Civil Rights (OCR) on March 4, 2020 as impacting upwards of 70,000 individuals.

Stephan Dean and his wife have been engaged in a long running legal dispute with Kaiser Permanente over the return and deletion of electronic files containing patient information. Kaiser Permanente has been trying to get the files permanently deleted; however, Stephan Dean insists that Kaiser Permanente owes him money for services rendered. The on-and-off legal action was eventually dropped, but the emails were never returned or deleted.

Surefile worked with Kaiser Permanente and was provided with paper copies of medical records in 2008. When the agreement between Surefile and Kaiser Permanente ended, Stephan Dean returned the paper copies of the medical records to Kaiser Permanente; however, emails containing patient information that were sent to Stephan Dean by Kaiser Permanente remained on his computer. Stephan Dean filed a complaint with OCR over alleged HIPAA violations relating to the emails and lack of a business associate agreement, and while a case was opened and the matter was investigated by OCR, it was eventually closed with no penalty issued.

On August 20, 2019, Stephan Dean was informed by Microsoft that an unauthorized individual may have compromised his MSN email account. The account in question contained files such as spreadsheets that had been sent to Stephan Dean by Kaiser Permanente.

Stephan Dean recently spoke with Dissent of databreaches.net and explained that the 70,000 records only represent a sample of the data and the actual number, which could only be determined with forensic accounting, could well be close to 1 million records.

Databreaches.net reported on the initial breach in 2012 and continued to cover the story. A detailed write up of the legal dispute and latest breach can be found on the following link: https://www.databreaches.net/an-old-hipaa-incident-rears-its-very-ugly-head-again/

Golden Valley Health Centers Alerts Patients to Email Security Breach

Golden Valley Health Centers, a network of healthcare centers in the Merced, Modesto, and Central Velley regions of California, is alerting patients that some of their protected health information has been exposed. Patient information was stored in emails and email attachments in an account that was accessed by an unauthorized individual. The breach was discovered on March 3, 2020 and forensic investigators were called in to investigate.

An analysis of the accounts revealed they contained names, billing information, health insurance information, appointment records, and patient referral information. While the investigation confirmed that the email account had been accessed by an unauthorized individual, no evidence of data theft or data misuse was uncovered.

In response to the breach, Golden Valley Health Centers is reviewing and revising its information security policies and privacy practices and further training has been provided to the workforce.

The incident has yet to appear on the HHS’ Office for Civil rights breach portal so it is currently unclear how many individuals have been affected.

The post California Business Associate Reports Potential Breach of Upwards of 70,000 Records appeared first on HIPAA Journal.

Hawaii Pacific Health Discovers 5-Year Insider Data Breach

Hawaii Pacific Health has discovered an employee of Straub Medical Center in Honolulu has been snooping on the medical records of patients over a period of more than 5 years.

Hawaii Pacific Health discovered the unauthorized access on January 17, 2020 and launched an investigation. An analysis of access logs revealed the employee first started viewing patient records in November 2014 and continued to do so undetected until January 2020. During that time, the employee viewed the medical records of 3,772 patients. After concluding the investigation, the employee was terminated.

Affected patients had received treatment at Straub Medical Center, Kapiolani Medical Center for Women & Children, Pali Momi Medical Center, or Wilcox Medical Center. The types of information that the employee could have viewed included patients’ first and last names, telephone numbers, addresses, email addresses, dates of birth, race/ethnicity, religion, medical record numbers, primary care provider information, dates of service, appointment types and related notes, hospital account numbers, department name, provider names, guarantor names and account numbers, health plan names, and Social Security numbers.

The reason for accessing the records was not determined, but Hawaii Pacific Health believes it was out of curiosity rather than to obtain sensitive information for malicious purposes. However, data theft could not be ruled out. All patients whose records were accessed by the employee were notified by mail on March 17, 2020 and were offered one year of free credit monitoring and identity restoration services.

Hawaii Pacific Health is reviewing and updating its internal procedures and will be providing further training on patient privacy. The health system is also investigating new technologies that can be implemented to identify unauthorized medical record access and anomalous employee behavior access more rapidly.

The post Hawaii Pacific Health Discovers 5-Year Insider Data Breach appeared first on HIPAA Journal.

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records.

Largest Healthcare Data Breaches in February 2020

The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in.

The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Health Share of Oregon Health Plan 654,362 Theft Laptop
BST & Co. CPAs, LLP Business Associate 170,000 Hacking/IT Incident Network Server
Aveanna Healthcare Healthcare Provider 166,077 Hacking/IT Incident Email
Overlake Medical Center & Clinics Healthcare Provider 109,000 Hacking/IT Incident Email
Tennessee Orthopaedic Alliance Healthcare Provider 81,146 Hacking/IT Incident Email
Munson Healthcare Healthcare Provider 75,202 Hacking/IT Incident Email
NCH Healthcare System, Inc. Healthcare Provider 63,581 Hacking/IT Incident Email
SOLO Laboratories, Inc. Business Associate 60,000 Hacking/IT Incident Network Server
JDC Healthcare Management Healthcare Provider 45,748 Hacking/IT Incident Email
Ozark Orthopaedics, PA Healthcare Provider 15,240 Hacking/IT Incident Email

Causes of February Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports, accounting for two thirds (66.67%) of all breaches reported in February and 54.78% of breached records (839,226 records). The average breach size was 32,277 records and the median breach size was 4,126 records. 80.76% of those incidents involved hacked email accounts.

There were 6 unauthorized access/disclosure incidents, four of which involved paper/films, one was an email incident and one involved a portable electronic device. 15,826 records were impermissibly disclosed in those incidents. The average breach size was 3,126 records and the median breach size was 2,548 records.

While there were only three theft incidents reported, they accounted for 42.78% of breached records. The average breach size was 327,696 records and the median breach size was 530 records.

There were two incidents involving lost paperwork containing the PHI of 5,904 patients and two improper disposal incidents involving paper files containing the PHI of 15,507 patients.

Location of Breached Protected Health Information

As the bar chart below shows, the biggest problem area for healthcare organizations is protecting email accounts. All but one of the email incidents were hacking incidents that occurred as a result of employees responding to phishing emails. The high total demonstrates how important it is to implement a powerful email security solution and to provide regular training to employees to teach them how to recognize phishing emails.

Breaches by Covered Entity Type

26 data breaches were reported by HIPAA-covered entities in February. The average breach size was 23,589 records and the median breach size was 3,229 records. Data breaches were reported by 8 health plans, with an average breach size of 83,490 records and a median breach size of 2,468 records.

There were 5 data breaches reported by business associates and a further 5 breaches that were reported by the covered entity but had some business associate involvement. The average breach size was 50,124 records and the median breach size was 15,010 records.

Healthcare Data Breaches by State

The data breaches reported in February were spread across 24 states. Texas was the worst affected with 4 breaches. Three data breaches were reported in Arkansas, California, and Florida. There were two reported breaches in each of Georgia, Indiana, Michigan, North Carolina, Virginia, and Washington. One breach was reported in each of Arizona, Hawaii, Illinois, Iowa, Maine, Massachusetts, Minnesota, Missouri, New Mexico, New York, Oregon, Pennsylvania, Tennessee, and Wisconsin.

HIPAA Enforcement Activity in February 2020

There was one HIPAA enforcement action reported in February. The HHS’ Office for Civil Rights announced that Steven A. Porter, M.D had agreed to pay a financial penalty of $100,000 to resolve a HIPAA violation case. The violations came to light during an investigation of a reported breach involving the practice’s medical records company, which Dr. Porter claimed was impermissibly using patient medical records by preventing access until payment of $50,000 was received.

OCR found that Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI. The practice had also not reduced risks to a reasonable and appropriate level, and policies and procedures to prevent, detect, contain, and correct security violations had not been implemented.

The post February 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Phishing Attacks Reported by University of Utah Health, Oregon DHS, and LifeSprk

The Minnesota-based senior care provider LifeSprk is notifying 9,000 of its clients that some of their protected health information was potentially compromised as a result of a November 2019 phishing attack.

On January 17, 2020, Lifesprk discovered an unauthorized individual had gained access to the email account of one of its employees. The account was immediately secured and a third-party cybersecurity firm was engaged to investigate the breach. The cybersecurity firm determined that a limited number of employee email accounts were compromised from November 5 through November 7, 2019.

For the majority of affected individuals, information in the compromised accounts was limited to names, medical record numbers, health insurance information, and some health information. Certain patients also had financial information and/or their Social Security number exposed.

The investigation into the breach is ongoing. To date, no evidence of data theft or misuse of protected health information has been found.

Affected patients started to be notified on March 17, 2020. The delay in sending notifications was due to “unprecedented actions taken in response to the Covid-19 (“Coronavirus”) pandemic.” Individuals whose Social Security number was exposed have been offered complimentary credit monitoring and identity theft protection services.  Lifesprk is now enhancing email security and will reinforce education with its employees about phishing emails.

PHI of Patients University of Utah Health Patients Has Potentially Been Compromised

University of Utah Health announced on Friday that unauthorized individuals gained access to the email accounts of a limited number of employees between January 7, and February 21, 2020 and potentially accessed patients’ protected health information.

University of Utah Health discovered on February 3, 2020 that malware had been installed on an employee’s workstation which potentially gave unauthorized individuals access to patients’ protected health information.

The information stored in the email accounts and on the affected computer was limited to names, birth dates, medical record numbers, and some clinical information related to the care provided by University of Utah Health.

Affected patients are now being notified, security procedures are being reviewed and updated, and education will be reinforced with members of the workforce.

It is currently unclear how many patients have been affected by the breach.

Oregon Department of Human Services Investigating Spear Phishing Attack

The Oregon Department of Human Services has discovered an unauthorized individual gained access to the email account of one of its employees as a result of a response to a spear phishing email.

Information technology security processes had been put in place to detect email account compromises rapidly, which has limited the potential for data theft. The email security breach was detected on March 6, 2020 and the account was immediately secured. The Oregon DHS will be seeking assistance from a third-party entity to review the incident and determine what information has been exposed and how many individuals have been affected. Those individuals will be notified in due course.

At this stage, there is no indication that any protected health information has been accessed, copied, or misused; however, out of an abundance of caution, identity theft protection services will be offered to all affected clients.

The post Phishing Attacks Reported by University of Utah Health, Oregon DHS, and LifeSprk appeared first on HIPAA Journal.

Roundup of Recent Healthcare Data Breaches

A roundup of healthcare data breaches and security incidents recently reported to the HHS’ Office for Civil Rights and by media.

Texas Network of Walk-in Clinics Attacked with Maze Ransomware

AffordaCare Urgent Care Clinic, a network of walk-in clinics in Texas, has been attacked by the Maze ransomware gang. According to a recent report on DataBreaches.net, the hackers stole 40GB of data prior to encrypting files. Some of the stolen data was published online when AffordaCare refused to pay the ransom.

The published data included patient contact details, medical histories, diagnoses, billing information, health insurance information, and employee payroll data. The information is still accessible on the Maze ransomware website.

It is currently unclear how many patients have been affected as the breach has not yet appeared on the HHS’ Office for Civil Rights breach portal

Tandem Diabetes Care Patients Notified About Phishing Attack

Tandem Diabetes Care, Inc. in San Diego, CA has been targeted by cybercriminals who gained access to the email accounts of a limited number of its employees between January 17, 2020 and January 20, 2020. The attack was discovered on January 17, 2020 and a cybersecurity firm was engaged to assist with the investigation.

An analysis of the compromised accounts revealed they contained patients’ names, contact information, clinical information related to diabetes care, and information about customers’ use of Tandem’s products and services. A limited number of Social Security numbers may also have been compromised.

Tandem is enhancing its email security controls, strengthening user authorization and authentication, and has changed its policies and procedures to limit the types of data that can be sent via email. Affected patients were notified about the breach on March 17, 2020.

Foundational Medicine Email Account Breach Detected

The Cambridge, MA-based provider of genomic profiling services, Foundational Medicine, has discovered the email account of an employee has been compromised as a result of a response to a phishing email.

The incident was discovered on January 14, 2020. A third-party forensics firm was engaged to conduct an investigation and determined the email account was accessible between December 17, 2019 and January 14, 2020. During that time, an unauthorized individual potentially accessed patient information in the email account which included patient names, dates of birth, ages, test names, ordering physicians’ names, and FMI ID numbers.

Foundational Medicine has notified all affected patients and additional security awareness training has been provided to the workforce.

Randleman Eye Center Suffers Ransomware Attack

Randleman Eye Center in North Carolina has experienced a ransomware attack that affected a server containing patients’ protected health information. The attack was detected on January 13, 2020 and a third-party computer forensics firm was retained to assist with the investigation.

The investigation is ongoing, but the investigators have determined patient information was encrypted in the attack and could potentially have been accessed by the attackers. The server contained, names, dates of birth, genders, and digital retinal images.

Randleman Eye Center has notified affected patients and will be taking steps to improve security to prevent similar attacks in the future.

Torrance Memorial Medical Center Discovers Exposure of Patients’ Radiology Images

Torrance Memorial Medical Center (TMMC) in California has discovered a server used by a third-party radiology vendor had security protections removed that allowed certain patient information to be accessed by unauthorized individuals.

TMMC was notified about the potential data breach by its radiology vendor on January 6, 2020. The investigation revealed protections were accidentally removed on June 20, 2019 and the server could be accessed by unauthorized individuals up to December 13, 2020.

The risk to each patient is believed to be low, as radiology images were only stored on the server for a short period of time. Every 24 hours, images on the server are automatically deleted. However, over the course of 6 months, the server temporarily stored the medical images of 3,448 patients. Those radiology images included names, dates of birth, gender, accession number, medical record number, and referring physician names.

Even though the risk to patients is believed to be low, TMMC has offered complimentary identity theft protection services to all affected patients.

PHI of 2,190 Patients Stolen in Burglary at California Dental Practice

On January 16, 2020, Genuine Dental Care in Saratoga, CA discovered thieves had broken into its offices and had stolen a server that contained the protected health information of 2,190 patients. Data on the server required multiple passwords to be entered in order for patient information to be accessed; however, it is possible that the thieves accessed patient data.

Patient information stored on the server included names, addresses, telephone numbers, Social Security numbers, drivers’ license numbers, health insurance information, dental records, and some financial information including credit card numbers. Genuine Dental Care also reports that medical images of certain patients that received dental treatment between June 2019 and January 2020 have been permanently lost.

The incident was reported to the San Jose Police Department, which is conducting an investigation. Genuine Dental Care has taken steps to improve physical security and additional technical controls have been implemented to further protect patient data.

The post Roundup of Recent Healthcare Data Breaches appeared first on HIPAA Journal.

University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack

The University of Kentucky (UK) has been battling to remove malware that was downloaded on its network in February 2020. Cybercriminals gained access to the UK network and installed cryptocurrency mining malware that used the processing capabilities of UK computers to mine Bitcoin and other cryptocurrencies.

The malware caused a considerable slowdown of the network, with temporary failures of its computer system causing repeated daily interruptions to day to day functions, in particular at UK healthcare.

UK believes the attack was resolved on Sunday morning after a month-long effort. On Sunday morning, UK performed a major reboot of its IT systems – a process that took around 3 hours. UK believes the attackers have now been removed from its systems, although they will be monitoring the network closely to ensure that external access has been blocked. The attack is believed to have originated from outside the United States.

UK Healthcare, which operates UK Albert B. Chandler Hospital and Good Samaritan Hospital in Lexington, KY, serves more than 2 million patients. While computer systems were severely impacted at times, patient care was not affected and patient safety was not put at risk.

An internal investigation was launched and third-party computer forensics specialists were engaged to assist with the investigation. University spokesman Jay Blanton said it is hard to determine whether any sensitive data was viewed or downloaded. The belief is that the malware attack was solely conducted to hijack the “vast processing capabilities” of the UK network to mine cryptocurrency.

UK has taken steps to improve cybersecurity, including installing CrowdStrike security software. More than $1.5 million has been spent ejecting the hackers from the network and bolstering security.

Arkansas Children’s Hospital Reboots Systems to Deal with ‘Cybersecuirty Threat’

Arkansas Children’s Hospital in Little Rock has experienced a cyberattack that has impacted Arkansas Children’s Hospital and Arkansas Children’s Northwest. Its IT systems have been rebooted in an attempt to deal with the cyberthreat and a third-party digital forensics firm has been engaged to assist with the investigation.

The exact nature of the threat has not yet been disclosed and it is currently unclear when the attack will be resolved. All facilities are continuing to provide medical services to patients, but some non-urgent appointments may have to be rescheduled.

The investigation into the attack is ongoing, but at this stage, no evidence has been found to suggest patient information has been affected.

The post University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack appeared first on HIPAA Journal.

53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months

The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses Report from Keeper Security shows approximately two thirds of healthcare organizations have experienced a data breach in the past and 53% have experienced a breach of protected health information in the past 12 months.

The survey was conducted by the Ponemon Institute on 2,391 IT and IT security professionals in the United States, United Kingdom, DACH, Benelux, and Scandinavia, including 219 respondents from the healthcare industry.

Keeper Security reports indicates the average healthcare data breach results in the exposure of more than 7,200 confidential records and the average cost of a healthcare data breach is $1.8 million, including the cost of disruption to normal operations. The most common causes of healthcare data breaches are phishing attacks (68%), malware infections (41%), and web-based attacks (40%).

Healthcare data breaches have increased considerably in the past few years. Even though there is a high risk of an attack, healthcare organizations do not feel that they are well prepared. Only one third of IT and IT security professionals in the healthcare industry said they had enough budget to mount a strong defense to prevent cyberattacks. 90% of healthcare organizations devote less than 20% of their IT budget to cybersecurity, with an average allocation of just 13%. 87% said they did not have the personnel to achieve a more efficient cybersecurity posture. Even though emergency planning is a requirement of HIPAA, less than one third of respondents said they had a plan for responding to cyberattacks.

When asked about the importance of passwords for preventing data breaches, 66% of healthcare organizations agreed that good password security was an important part of their security defenses, but fewer than half of surveyed organizations have visibility into the password practices of their employees.

A second study conducted by the Ponemon Institute, on behalf of Censinet, shows healthcare vendors are also being targeted and are struggling to defend against cyberattacks. That survey revealed 54% of healthcare vendors have experienced at least one data breach in the past, and 41% of those respondents have experienced six or more data breaches in the past 2 years. For healthcare vendors, the average size of a data breach is over 10,000 records and the average cost of a breach is $2.75 million

When healthcare vendors experience a data breach it is common for customers to take their business elsewhere. 54% of healthcare vendors said a single data breach would result in a loss of business and 28% of healthcare vendors said they lost a customer when security gaps were discovered.

It is common for security gaps to go unnoticed, as 42% of respondents said healthcare providers do not require them to provide proof they are in compliance with privacy and data protection regulations. Even when security gaps are discovered, 41% of healthcare vendor respondents said they were not required to take any action.

Risk assessments are a requirement of HIPAA, but they are costly and time consuming to perform. Vendors spend an average of $2.5 million a year conducting risk assessments, but only 44% believe risk assessments improve their security posture which Censinet believes could be due to 64% of vendors finding risk assessments confusing and ambiguous.

59% of healthcare vendors said risk assessments become out of date within 3 months of being conducted, yet only 18% of respondents said their healthcare clients require them to complete risk assessments more than once a year.

“According to the research, 55 percent of vendors say that these certifications do not provide enough value for the cost, while 77 percent indicate challenges with the certification process, including respondents who believe it is too time-consuming, too costly and too confusing.” The solution could be automation. 61% of vendors believe workflow automation would streamline the risk assessment process and 60% believe workflow automation would reduce the cost of risk assessments by up to 50%.

The post 53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months appeared first on HIPAA Journal.