Phishing EHR Medical Records

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised.

Recent Email Hacking and Phishing Attacks on Healthcare Organizations

HIPAA-Covered Entity Records Exposed
Inogen Inc. 29,529
Knoxville Heart Group 15,995
USACS Management Group Ltd 15,552
UnityPoint Health 16,429
Texas Health Physicians Group 3,808
Scenic Bluffs Health Center 2,889
ATI Holdings LLC 1,776
Worldwide Insurance Services 1,692
Billings Clinic 949
Diagnostic Radiology & Imaging, LLC 800
The Oregon Clinic Undisclosed


So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in January, ATI Holdings, LLC experienced a breach in March that resulted in the exposure of 35,136 records, and the largest email hacking incident of the year affected Onco360/CareMed Specialty Pharmacy and impacted 53,173 patients.

Wombat Security’s 2018 State of the Phish Report revealed three quarters of organizations experienced phishing attacks in 2017 and 53% experienced a targeted attack. The Verizon 2017 Data Breach Investigations Report, released in May, revealed 43% of data breaches involved phishing, and a 2017 survey conducted by HIMSS Analytics on behalf of Mimecast revealed 78% of U.S healthcare providers have experienced a successful email-related cyberattack.

How Healthcare Organizations Can Improve Phishing Defenses

Phishing targets the weakest link in an organization: Employees. It therefore stands to reason that one of the best defenses against phishing is improving security awareness of employees and training the workforce how to recognize phishing attempts.

Security awareness training is a requirement under HIPAA (45 C.F.R. § 164.308(a)(5)(i)). All members of the workforce, including management, must be trained on security threats and the risk they pose to the organization.

“An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them,” suggested OCR in its July 2017 cybersecurity newsletter.

HIPAA does not specify how frequently security awareness training should be provided, although ongoing programs including a range of training methods should be considered. OCR indicates many healthcare organizations have opted for bi-annual training accompanied by monthly security updates and newsletters, although more frequent training sessions may be appropriate depending on the level of risk faced by an organization.

A combination of classroom-based sessions, CBT training, newsletters, email alerts, posters, team discussions, quizzes, and other training techniques can help an organization develop a security culture and greatly reduce susceptibility to phishing attacks.

The threat landscape is constantly changing. To keep abreast of new threats and scams, healthcare organizations should consider signing up with threat intelligence services. Alerts about new techniques that are being used to distribute malicious software and the latest social engineering ploys and phishing scams can be communicated to employees to raise awareness of new threats.

In addition to training, technological safeguards should be implemented to reduce risk. Advance antivirus solutions and anti-malware defences should be deployed to detect the installation of malicious software, while intrusion detection systems can be used to rapidly identify suspicious network activity.

Email security solutions such as spam filters should be used to limit the number of potentially malicious emails that are delivered to end users’ inboxes. Solutions should analyze inbound email attachments using multiple AV engines, and be configured to quarantine emails containing potentially harmful file types.

Embedded URLs should be checked at the point when a user clicks. Attempts to access known malicious websites should be blocked and an analysis of unknown URLs should be performed before access to a webpage is permitted.

Phishing is highly profitable, attacks are often successful, and it remains one of the easiest ways to gain a foothold in a network and gain access to PHI. As such, phishing will remain one of the biggest threats to the confidentiality, integrity, and availability of PHI. It is up to healthcare organizations to make it as difficult as possible for the attacks to succeed.

The post Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed appeared first on HIPAA Journal.

How to Defend Against Insider Threats in Healthcare

One of the biggest data security challenges is how to defend against insider threats in healthcare. Insiders are responsible for more healthcare data breaches than hackers, making the industry unique.

Verizon’s Protected Health Information Data Breach Report highlights the extent of the problem. The report shows 58% of all healthcare data breaches and security incidents are the result of insiders.

Healthcare organizations also struggle to detect insider breaches, with many breaches going undetected for months or even years. One healthcare employee at a Massachusetts hospital was discovered to have been accessing healthcare records without authorization for 14 years before the privacy violations were detected, during which time the records of more than 1,000 patients had been viewed.

Healthcare organizations must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do occur.

What are Insider Threats?

Before explaining how healthcare organizations can protected against insider threats, it is worthwhile covering the main insider threats in healthcare.

An insider threat is one that comes from within an organization. That means an individual who has authorization to access healthcare resources, which includes EMRs, healthcare networks, email accounts, or documents containing PHI. Resources can be accessed with malicious intent, but oftentimes mistakes are made that can equally result in harm being caused to the organization, its employees, or its patients.

Insider threats are not limited to employees. Any individual who is given access to networks, email accounts, or sensitive information in order to complete certain tasks could deliberately or accidentally take actions that could negatively affect an organization. That includes business associates, subcontractors of business associates, researchers, volunteers, and former employees.

The consequences of insider breaches can be severe. Healthcare organizations can receive heavy fines for breaches of HIPAA Rules and violations of patient privacy, insider breaches can damage an organization’s reputation, cause a loss of patient confidence, and leave organizations open to lawsuits.

According to the CERT Insider Threat Center, insider breaches are twice as costly and damaging as external threats. To make matters worse, 75% of insider threats go unnoticed.

Insider threats in healthcare can be split into two main categories based on the intentions of the insider: Malicious and non-malicious.

Malicious Insider Threats in Healthcare

Malicious insider threats in healthcare are those which involve deliberate attempts to cause harm, either to the organization, employees, patients, or other individuals. These include the theft of protected health information such as social security numbers/personal information for identity theft and fraud, the theft of data to take to new employers, theft of intellectual property, and sabotage.

Research by Verizon indicates 48% of insider breaches are conducted for financial gain, and with healthcare data fetching a high price on the black market, employees can easily be tempted to steal data.

A 2018 Accenture survey conducted on healthcare employees revealed one in five would be prepared to access and sell confidential data if the price was right. 18% of the 912 employees surveyed said they would steal data for between $500 and $1,000.

Alarmingly, the survey revealed that almost a quarter (24%) of surveyed healthcare employees knew of someone who had stolen data or sold their login credentials to an unauthorized outsider.

Disgruntled employees may attempt to sabotage IT systems or steal and hold data in case they are terminated. However, not all acts of sabotage are directed against employers. One notable example comes from Texas, where a healthcare worker used hospital devices to create a botnet that was used to attack a hacking group.

Non-Malicious Insider Threats in Healthcare

The Breach Barometer reports from Protenus/ break down monthly data breaches by breach cause, including the number of breaches caused by insiders. All too often, insiders are responsible for more breaches than outsiders.

Snooping on medical records is all too common. When a celebrity is admitted to hospital, employees may be tempted to sneak a look at their medical records, or those of friends, family members, and ex-partners. The motivations of the employees are diverse. The Verizon report suggests 31% of insider breaches were employees accessing records out of curiosity, and a further 10% were because employees simply had access to patient records.

Other non-malicious threats include the accidental loss/disclosure of sensitive information, such as disclosing sensitive patient information to others, sharing login credentials, writing down login credentials, or responding to phishing messages.

The largest healthcare data breach in history – the theft of 78 million healthcare records from Anthem Inc.- is believed to have been made possible because of stolen credentials.

The failure to ensure PHI is emailed to the correct recipient, the misdirection of fax messages, or leaving portable electronic devices containing ePHI unattended causes many breaches each year. The Department of Health and Human Services’ Office for Civil Rights’ breach portal or ‘Wall of Shame’ is littered with incidents involving laptops, portable hard drives, smartphones, and zip drives that have stolen after being left unattended.

How to Defend Against Insider Threats in Healthcare

The standard approach to mitigating insider threats can be broken down into four stages: Educate, Deter, Detect, and Investigate.

Educate: The workforce must be educated on allowable uses and disclosures of PHI, the risk associated with certain behaviors, patient privacy, and data security.

Deter: Policies must be developed to reduce risk and those policies enforced. The repercussions of HIPAA violations and privacy breaches should be clearly explained to employees.

Detect: Healthcare organizations should implement technological solutions that allow them to detect breaches rapidly and access logs should be regularly checked.

Investigate: When potential privacy and security breaches are detected they must be investigated promptly to limit the harm caused. When the cause of the breach is determined, steps should be taken to prevent a recurrence.

Some of the specific steps that can be taken to defend against insider threats in healthcare are detailed below:

Perform Background Checks

It should be standard practice to conduct a background check before any individual is employed. Checks should include contacting previous employers, Google searches, and a check of a potential employee’s social media accounts.

HIPAA training

All healthcare employees should be made aware of their responsibilities under HIPAA. Training should be provided as soon as possible, and ideally before network or PHI access is provided. Employees should be trained on HIPAA Privacy and Security Rules and informed of the consequences of violations, including loss of employment, possible fines, and potential criminal penalties for HIPAA violations.

Implement anti-phishing defenses

Phishing is the number one cause of data breaches. Healthcare employees are targeted as it is far easier to gain access to healthcare data if an employee provides login credentials than attempting to find software vulnerabilities to exploit. Strong anti-phishing defenses will prevent the majority of phishing emails from reaching inboxes. Advanced spam filtering software is now essential.

Security awareness training

Since no technological solution will prevent all phishing emails from reaching inboxes, it is essential – from a security and compliance perspective – to teach employees the necessary skills that will allow them to identify phishing attempts and other email/web-based threats.

Employees cannot be expected to know what actions place data and networks at risk. These must be explained if organizations want to eradicate risky behavior. Security awareness training should also be assessed. Phishing simulation exercises can help to reinforce training and identify areas of weakness that can be tackled with further training.

Encourage employees to report suspicious activity

Employees are often best placed to identify potential threats, such as changes in the behavior of co-workers. Employees should be encouraged to report potentially suspicious behavior and violations of HIPAA Rules.

While Edward Snowden did not work in healthcare, his actions illustrate this well. The NSA breach could have been avoided if his requests for co-workers’ credentials were reported.

Controlling access to sensitive information

The fewer privileges employees have, the easier it is to prevent insider breaches in healthcare. Limiting data access to the minimum necessary amount will limit the harm caused in the event of a breach. You should be implementing the principle of least privilege. Give employees access to the least amount of data as possible. This will limit the data that can be viewed or stolen by employees or hackers that manage to obtain login credentials.

Encrypt PHI on all portable devices

Portable electronic devices can easily be stolen, but the theft of a device need not result in the exposure of PHI. If full disk encryption is used, the theft of the device would not be a reportable incident and patients’ privacy would be protected.

Enforce the use of strong passwords

Employees can be told to use strong passwords or long passphrases, but unless password policies are enforced, there will always be one employee that chooses to ignore those policies and set a weak password. You should ensure that commonly used passwords and weak passwords cannot be set.

Use two-factor authentication

Two-factor authentication requires the use of a password for account access along with a security token. These controls prevent unauthorized access by outsiders, as well as limiting the potential for an employee to use another employee’s credentials.

Terminate access when no longer required

You should have a policy in place that requires logins to be deleted when an employee is terminated, a contract is completed, or employees leave to work for another organization. There have been many data breaches caused by delays in deleting data access rights. Data access should not be possible from the second an employee walks out the door for the last time.

Monitor Employee Activity

If employees require access to sensitive data for work purposes it can be difficult to differentiate between legitimate data access and harmful actions. HIPAA requires PHI access logs to be maintained and regularly checked. Since this is a labor-intensive task, it is often conducted far too infrequently. The easiest way to ensure inappropriate accessing of medical records is detected quickly is to implement action monitoring software and other software tools that can detect anomalies in user activity and suspicious changes in data access patterns.

The post How to Defend Against Insider Threats in Healthcare appeared first on HIPAA Journal.

Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack

UnityPoint Health has discovered the email accounts of several employees have been compromised and accessed by unauthorized individuals.

Access to the employee email accounts was first gained on November 1, 2017 and continued for a period of three months until February 7, 2018, when the phishing attack was detected and access to the compromised email accounts was blocked.

Upon discovery of the phishing attack, UnityPoint Health engaged the services of a computer forensics firm to investigate the scope of the breach and the number of patients impacted. The investigation revealed a wide range of protected health information had potentially been obtained by the attackers, which included names in combination with one or more of the following data elements:

Medical record number, date of birth, service dates, treatment information, surgical information, lab test results, diagnoses, provider information, and insurance information.

The security breach has yet to appear on the Department of Health and Human Services’ breach portal, so it is currently unclear exactly how many patients have been affected by the breach. Notifications to individuals impacted by the breach started to be mailed on April 16, 2018.

To date there have been no reports of any health information being used inappropriately. However, since PHI may have been obtained by the attackers, UnityPoint Health has recommended affected individuals take steps to protect against insurance fraud an identity theft. Those steps include reviewing insurers’ Explanation of Benefits statements, monitoring accounts for fraudulent activity, and contacting insurers for a full list of all medical services paid under their insurance policy and to carefully check the list for any services that have not been received.

The incident has prompted UnityPoint Health to strengthen security controls to prevent similar incidents from occurring in the future.

The post Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack appeared first on HIPAA Journal.

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve security posture.

Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware.

Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of malicious emails. Security awareness training is therefore essential.

Healthcare employees should be trained how to recognize phishing emails and how to respond when potentially malicious messages are received. Training should be provided to help eliminate risky behaviors and teach cybersecurity best practices. The failure to provide sufficient training leaves healthcare organizations at risk of attack.

The Ponemon/Merlin International study on 627 healthcare executives in the United States suggests healthcare organizations are not doing enough to improve security awareness and develop a security culture.  More than half of respondents (52%) said the lack of security awareness was affecting their organization’s security posture.

The Merlin International report, 2018 Impact of Cyber Insecurity on Healthcare Organizations, revealed 62% of respondents have experienced a cyberattack in the past 12 months, with half of those incidents resulting in the loss of healthcare data. Poor security awareness is contributing to a high percentage of those breaches.

When asked about the biggest concerns, there was an equal split between external attacks by hackers and internal breaches due to errors and employee negligence – 63% and 64% respectively.

The main threats to the confidentiality, integrity, and availability of healthcare data were perceived to be unsecured medical devices (78%), BYOD (76%) and insecure mobile devices (72%).

57% of respondents felt use of the cloud, mobile, and IoT technologies has increased the number of vulnerabilities that could be exploited to gain access to healthcare data. 55% of respondents said medical devices were not included in their cybersecurity strategy and the continued use of legacy systems was seen to be a security issue by 58% of respondents.

Even though 62% of organizations have experienced a data breach in the last year and it is a requirement for HIPAA compliance, 51% of organizations have not developed an incident response program that allows them to rapidly respond and remediate breaches.

Staffing was seen to be the biggest roadblock preventing organizations from improving their security posture. 74% believed a lack of suitable staff was a major issue hampering efforts to improve cybersecurity. 60% of respondents do not believe they have the right cybersecurity qualifications in house and only 51% of surveyed organizations have appointed a CISO.

“Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care,” said Brian Wells, Director of Healthcare Strategy at Merlin International.

The post Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks appeared first on HIPAA Journal.

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI.

For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents.

In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents.

The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted for financial gain. 31% involved accessing medical data out of curiosity or for fun, 10% of incidents were attributed to easy access to data, with 3% of incidents occurring due to a grudge and a further 3% for espionage. External attacks are primarily conducted for financial gain – extortion and the theft and sale of data.

Verizon also looked at the actions that lead to PHI incidents and data branches, with the most common problem being errors. Errors were behind 33.5% of incidents within this category, which included the misdelivery of emails and mailings, errors made disposing of PHI, publishing errors, loss of PHI, misconfigurations, programming mistakes and data entry errors. The main incident cause was misdelivery of documents, which accounted for 20% of all incidents in the error category.

The second biggest breach category is misuse, accounting for 29.5% of all incidents. 66% of incidents in this category were attributed to privilege abuse – accessing records without authorization. Data mishandling was behind 21.6% of incidents and possession abuse – the misuse of access to physical records – was behind 16.9% of incidents in the misuse category.

The physical category includes theft of records and devices, snooping, tampering, disabled controls, and surveillance. 16.3% of all healthcare PHI incidents were placed in this category, with theft accounting for 95.2% of all incidents. The theft of laptops was the main incident type. Almost half (47%) of laptop theft incidents involved the devices being taken from employees’ vehicles. The use of encryption would prevent the majority of these incidents from exposing PHI.

Hacking may make the headlines, but it accounted for relatively few breaches – just 14.8% of all healthcare PHI incidents were placed in this category. The main cause of breaches in the hacking category was the use of stolen credentials (49.3% of incidents), with credentials often stolen via phishing attacks. Brute force attacks taking advantage of weak passwords were behind 20.9% of incidents. 17.9% of hacking breaches involved the use of backdoors.

Malware was involved in 10.8% of all PHI incidents. While there were a wide range of malware types and variants used in attacks, by far the biggest category was ransomware, which accounted for 70.5% of attacks.

Social attacks accounted for 8% of all incidents. This category involves attacks on employees. Phishing was involved in 69.9% of incidents in this category, followed by pretexting (11.7%), and bribery (7.8%). Pretexting is the next stage on from phishing, when access to email accounts is used to send further emails – BEC attacks for example.

Verizon offers three suggestions which in the short term will help to reduce the number of PHI related incidents and data breaches.

Full disk encryption should be deployed on all portable electronic devices used to store PHI. This simple measure would prevent PHI from being accessed in the event of loss or theft of an electronic device.

The routine monitoring of medical record access – a requirement of HIPAA – will not prevent breaches, but it will reduce the severity of insider incidents and allow healthcare organizations to take corrective action quickly. When employees are aware that records are routinely monitored it can also act as a deterrent and reduce theft and unauthorized access incidents.

The final course of action is to implement solutions to combat ransomware and malware. While defenses can and should involve the use of spam filters and web filters, simple measures can also be taken such as not allowing laptops to access the Internet if they are used to store large quantities of PHI.

The post Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches appeared first on HIPAA Journal.

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website.

The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR.

Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published.

There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches is now hacking/IT incidents, with unauthorized access/disclosures also commonplace.

Healthcare Data Breaches by Year

Between 2009 and 2017 there have been 2,181 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 176,709,305 healthcare records.  That equates to more than 50% of the population of the United States (54.25%). Healthcare data breaches are now being reported at a rate of more than one per day.

Healthcare data breaches 2019-2017

Healthcare Records Exposed by Year

While there has been a general upward trend in the number of records exposed each year, there was a massive improvement in 2017 – the best year since 2012 in terms of the number of records exposed. However, while breaches were smaller in 2017, it was a record breaking year in terms of the number of healthcare data breaches reported – 359 incidents.

Records Exposed in Healthcare data breaches

Average/Median Healthcare Data Breach Size by Year

Average Size of Healthcare Data Breaches


Median Size of Healthcare Data Breaches


Largest Healthcare Data Breaches (2009-2017)

Rank Year Entity Entity Type Records Exposed/Stolen Cause of Breach
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2011 Science Applications International Corporation Business Associate 4900000 Loss
5 2014 Community Health Systems Professional Services Corporation Business Associate 4500000 Theft
6 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
7 2013 Advocate Medical Group Healthcare Provider 4029530 Theft
8 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
9 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
10 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
11 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
12 2014 Xerox State Healthcare, LLC Business Associate 2000000 Unauthorized Access/Disclosure
13 2011 IBM Business Associate 1900000 Unknown
14 2011 GRM Information Management Services Business Associate 1700000 Theft
15 2010 AvMed, Inc. Health Plan 1220000 Theft
16 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
17 2014 Montana Department of Public Health & Human Services Health Plan 1062509 Hacking/IT Incident
18 2011 The Nemours Foundation Healthcare Provider 1055489 Loss
19 2010 BlueCross BlueShield of Tennessee, Inc. Health Plan 1023209 Theft
20 2011 Sutter Medical Foundation Healthcare Provider 943434 Theft

Healthcare Hacking Incidents by Year

Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although healthcare organizations are now much better at detecting breaches when they do occur. The low hacking/IT incidents in the earlier years is likely to be due, in part, to the failure to detected hacking incidents and malware infections quickly. Many of the hacking incidents in 2014-2017 occurred many months, and in come cases years, before they were detected.

Healthcare Data Breaches - Hacking


Records Exposed in Healthcare Data Breaches - Hacking

Unauthorized Access/Disclosures by Year

As with hacking, healthcare organizations are getting better at detecting internal breaches and also reporting those breaches to the Office for Civil Rights. While hacking is the main cause of breaches, unauthorized access/disclosure incidents are in close second.

Healthcare Data Breaches - unauthorized access/disclosures


records exposed in authorized access/disclosures

Loss/Theft of PHI and Unencrypted ePHI by Year

Our healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public.

healthcare theft/loss data breaches


records exposed by healthcare theft/loss data breaches

Improper Disposal of PHI/ePHI by Year

healthcare data breaches - improper disposal incidents


records exposed in healthcare improper disposal incidents


Breaches by Entity Type

Year Provider Health Plan Business Associate Other Total
2009 14 1 3 0 18
2010 134 21 44 0 199
2011 137 20 42 1 200
2012 155 22 36 4 217
2013 199 18 56 5 278
2014 202 71 41 0 314
2015 196 62 11 0 269
2016 257 51 19 0 327
2017 288 52 19 0 359
Total 1582 318 271 10 2181

OCR Settlements and Fines for HIPAA Violations

The penalties for HIPAA violations can be severe with multi-million-dollar fines possible when violations have been allowed to persist for several years or when multiple violations of HIPAA Rules have been allowed to occur.

The penalty structure for HIPAA violations is detailed in the infographic below:

Penalty Structure for HIPAA Violations

OCR Settlements and Fines Over the Years

The data for the healthcare data breach statistics on fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines issued by OCR between 2008 and 2018. As the graph below shows, there has been a steady increase in HIPAA enforcement over the past 9 years.

HIPAA Fines and Settlements 2008-2017


How Much Has OCR Fined HIPAA Covered Entities and Business Associates?

In addition to an increase in fines and settlements, the level of fines has increased substantially. Multi-million-dollar fines for HIPAA violations are now the norm.

HIPAA Fine and Settlement Amounts 2008-2017


average HIPAA Fines and Settlements 2008-2017


Median HIPAA Fines and Settlements 2008-2017

As the graphs above show, there has been a sizable increase in both the number of settlements and civil monetary penalties and the fine amounts in recent years. OCR’s budget has been cut so there are fewer resources to put into pursuing financial penalties in HIPAA violation cases. 2018 is likely to see fewer fines for HIPAA covered entities than the past two years, although settlement amounts are likely to remain high and even increase in 2018.OCR Director Roger Severino has indicated financial penalties are most likely to be pursued for particularly egregious HIPAA violations.

State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations

State attorneys general can issue fines ranging from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.

Even when action is taken by state attorneys general over potential HIPAA violations, healthcare organizations are typically fined for violations of state laws. Only a handful of U.S. states have issued fines solely for HIPAA violations

Some of the major fines issued by state attorneys general for HIPAA violations and violations of state laws are listed below.


Year State Covered Entity Amount Individuals affected Settlement/CMP Reason
2018 NY EmblemHealth $575,000 81,122 Settlement Mailing error
2018 NY Aetna $1,150,000 12,000 Settlement Mailing error
2017 CA Cottage Health System $2,000,000 More than 54,000 Settlement Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Settlement Theft of unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3.7 million Settlement Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Settlement Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Settlement Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 Settlement List of patients provided to nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Settlement Theft of unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Settlement Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Settlement Loss of laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Settlement Loss of laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Settlement Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Settlement Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Settlement Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Settlement Failure to report breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications

The post Healthcare Data Breach Statistics appeared first on HIPAA Journal.

AJMC Study Reveals Common Characteristics of Hospital Data Breaches

The American Journal of Managed Care has published a study of hospital data breaches in the United States. The aim of the study was to identify common characteristics of hospital data breaches, what the biggest problem areas are, the main causes of security incidents and the types of information most at risk.

The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30% of all large healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights by providers between 2009 and 2016.

Over that 7-year time period there were 215 breaches reported by 185 nonfederal acute care hospitals and 30 hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals experienced 2 breaches. In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the theft/exposure of the highest number of health records.

While hacks were commonly experienced, it was not electronic healthcare data that was the biggest problem area. Paper and film were the most common locations of breached protected health information. 65 hospitals reported paper/film data breaches over the time period that was studied; however, while those breaches were the most common, they typically affected a relatively small number of patients.

Recently, there has been an increase in hacks and malware and ransomware attacks on network servers, although between 2009 and 2016 – for hospitals at least – network servers were the least common location of breached PHI. While the least common, they were the most severe. Network server breaches resulted in the highest number of stolen records.

The second most common location of breaches was PHI stored in locations other than paper/film, laptops, email, desktops, EHRs, or network servers. Those breaches had been reported by 56 hospitals. In third place was laptop breaches, reported by 51 hospitals.

The types of data breaches most commonly experienced were theft incidents, which had been reported by 112 hospitals. Unauthorized access/disclosures were in second place with incidents reported by 54 hospitals. Hacking/IT incidents was third and was behind 27 hospital data breaches.

Multivariate logistic regression analyses were performed to explore factors associated with hospital data breaches. The researchers found significant differences between hospitals that had experienced a data breach and those that had not.

Teaching hospitals and pediatric hospitals were found to be the most susceptible to data breaches. 18% of teaching hospitals had experienced at least one data breach, compared to 3% without a breach. Six percent of pediatric hospitals had experienced a breach compared to 2% that had not.

Larger hospitals were also more prone to data breaches than smaller facilities. 26% of large hospitals had experienced a data breach, compared to 10% that had no breaches. Investor-owned hospitals had reported fewer breaches than not-for profit hospitals.

There were no significant differences based on the level of IT sophistication, health system membership, biometric security use, hospital region, or area characteristics.

The researchers suggest that while hospitals have invested in technology and have digitized health data to meet Meaningful Use requirements, security has not been a major focus and investment in data security has been lacking. Hospitals are typically only spending 5% of their IT budgets on security and that needs to improve if hospital data breaches are to be prevented. Security measures also need to be improved for paper/films to reduce the opportunity for unauthorized access and theft.

The researchers suggest hospitals should be conducting regular audits to determine who is accessing PHI, while audits of data security protections will help hospitals identify vulnerabilities before they are exploited.

The use of biometric identifiers can limit the potential for unauthorized access of ePHI and 2-Factor authentication should be implemented on all user accounts.

The researchers also suggest access to PHI should be limited to the minimum necessary amount to allow employees to complete their work duties. By restricting access, the severity of data breaches will be reduced.

The methodology, full results, and conclusions can be found on this link.

The post AJMC Study Reveals Common Characteristics of Hospital Data Breaches appeared first on HIPAA Journal.

January 2018 Healthcare Data Breach Report

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017.

Healthcare data breaches by Month (August 2017-January 2018)

Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month.

records exposed in January 2018 Healthcare Data Breaches

The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was 15,857 records.

Largest Healthcare Data Breaches in January 2018

In January there were only four breaches reported that impacted more than 10,000 individuals, compared to nine such incidents in December 2017. Hacking incidents continue to result in the largest data breaches with five of the top six breaches the result of hacking/IT incidents, which includes hacks, malware infections and ransomware attacks.


Covered Entity Entity Type Individuals Affected Type of Breach
Oklahoma State University Center for Health Sciences Healthcare Provider 279865 Hacking/IT Incident
Onco360 and CareMed Specialty Pharmacy Healthcare Provider 53173 Hacking/IT Incident
Agency for Health Care Administration Health Plan 30000 Hacking/IT Incident
Decatur County General Hospital Healthcare Provider 24000 Hacking/IT Incident
Charles River Medical Associates, pc Healthcare Provider 9387 Loss
Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. Healthcare Provider 5228 Hacking/IT Incident
RGH Enterprises, Inc. Healthcare Provider 4586 Unauthorized Access/Disclosure
Gillette Medical Imaging Healthcare Provider 4476 Unauthorized Access/Disclosure
Zachary E. Adkins, DDS Healthcare Provider 3677 Theft
Steven Yang, D.D.S., INC. Healthcare Provider 3202 Theft

Main Causes of Healthcare Data Breaches in January 2018

While hacking/IT incidents and unauthorized access/disclosures shared top spot in January, the biggest cause of breaches was actually errors made by employees and insider wrongdoing. Insiders were behind at least 11 of the 21 breaches reported in January.  Four of the five loss/theft incidents involved portable electronic devices. Those incidents could have been avoided if encryption had been used.

Main Causes of January 2018 Data Breaches

  • Hacking/IT Incidents: 7 breaches
  • Unauthorized Access/Disclosure: 7 breaches
  • Loss/theft of physical records and portable devices: 5 breaches

January 2018 Healthcare Data Breaches by Incident Type


Records Exposed by Breach Type

The vast majority of individuals impacted by healthcare data breaches in January 2018 had their health data accessed or stolen in hacking/IT incidents. January saw a significant reduction in records exposed due to loss or theft – In December, incidents involving the loss or theft of devices and physical records impacted 122,921 individuals.

Main Causes of Exposed Healthcare Records in January 2018

  • Hacking/IT Incidents: 394,787 healthcare records exposed in 7 security incidents
  • Loss/theft of physical records and portable devices: 18,519 records exposed in 5 incidents
  • Unauthorized Access/Disclosure: 13,329 healthcare records exposed in 7 incidents

Main Causes of Healthcare Data Breaches in January 2018 - Records by breach type

Location of Data Breaches in January 2018

Overall, more incidents were reported involving electronic copies of health data in January, but covered entities must ensure that appropriate physical security and access controls are in place to prevent unauthorized accessing and theft of paper records. Training must also be provided to staff on disposing of physical records. Two improper disposal incidents were reported in January involving physical records.

Main Locations of Exposed Healthcare Records in January 2018

  • Paper/Films: 13,514 records exposed in 7 incidents: 4 unauthorized access/disclosures; 2 improper disposal incidents, and one incident involving the loss of records
  • Network Servers: 310,593 healthcare records exposed in 4 hacking/IT incidents involving network servers: 1 Hack, 2 malware incidents and one incident for which the cause is unknown
  • Laptop computers: 3 incidents involving laptop computers: 2 stolen devices and one hack/IT incident
  • Email: Three incidents involving unauthorized access/disclosure due to phishing and two hacking incidents
  • EMRs:  3 incidents involving EMRs: 2 unauthorized access incidents (Physician/nurse) and 1 hacking incident

January 2018 Healthcare Data Breaches - Location of breached PHI

January 2018 Healthcare Data Breaches by Covered Entity

In January, no business associates of HIPAA covered entities reported data breaches, and according to the OCR breach summaries, none of the 21 security breaches had any business associate involvement. Healthcare providers were the worst affected with 19 breaches reported.

Healthcare Records Breached

  • Healthcare providers: 398,009 healthcare records exposed in 19 incidents
  • Health plans: 30,634 healthcare records exposed in 2 incidents

January 2018 Healthcare Data Breaches by Entity Type

January Healthcare Data Breaches by State

In January, covered entities based in 15 states reported data breaches that impacted more than 500 individuals.

California was the worst hit state by some distance with 5 covered entities reporting breaches. Tennessee and Wyoming had two breaches apiece, with one incident reported by organizations based in Florida, Illinois, Kentucky, Massachusetts, Maryland, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, and Washington.

Financial Penalties for HIPAA Covered Entities in January

There were no OCR HIPAA fines or settlements announced in January to resolve violations of HIPAA Rules, although the New York Attorney General did settle a case with health insurer Aetna.

Aetna was required to pay the NY AG’s office $1.15 million to resolve violations of HIPAA Rules and state laws. The violations were discovered during an investigation into a serious privacy breach experienced in July 2017. A mailing was sent to approximately 12,000 members in which details of HIV medications were visible through the clear plastic windows of the envelopes – An unauthorized disclosure of PHI. The mailing was sent on behalf of Aetna by a settlement administrator.

Further, it was alleged that Aetna provided PHI to its outside counsel, who in turn provided that information to the settlement administrator – a subcontractor – yet no business associate agreement was in place prior to that disclosure.

Aetna also settled a class action lawsuit in January over the breach. The lawsuit was filed by HIV/AIDS organizations on behalf of the victims of the breach. Aetna settled the lawsuit for $17,161,200.

That is unlikely to be the end of the fines. OCR may decide to take action over the breach and alleged HIPAA violations, and other state attorneys general have opened investigations. Aetna is also embroiled in costly legal action with its settlement administrator.

Data source for breaches: Department of Health and Human Services’ Office for Civil Rights.

The post January 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Healthcare Industry Scores Poorly on Employee Security Awareness

A recent report published by security awareness training company MediaPro has revealed there is still a lack of preparedness to deal with common cyberattack scenarios and privacy and security threats are still not fully understood by healthcare professionals.

For MediaPro’s 2017 State of Privacy and Security Awareness Report, the firm surveyed 1,009 US healthcare industry employees to assess their level of security awareness. Respondents were asked questions about common privacy and security threats and were asked to provide answers on several different threat scenarios to determine how they would respond to real world threats.

Based on the responses, MediaPro assigned respondents to one of three categories. Heroes were individuals who scored highly and displayed a thorough understanding of privacy and security threats by answering 93.5%-100% of questions correctly. Novices showed a reasonable understanding of threats, answering between 77.4% and 90.3% of answers correctly. The lowest category of ‘Risks’ was assigned to individuals with poor security awareness, who scored 74.2% or lower on the tests. Those individuals were deemed to pose a significant risk to their organization and the privacy of sensitive data.

Overall, 78% of healthcare employees were classified as risks or novices. The percentage of individuals rated in these two categories across all industry sectors was 70%, showing the healthcare industry still lags behind other industry sectors on security awareness and privacy and security best practices.

The survey revealed physicians’ understanding of privacy and security threats was particularly poor. Half of physicians who took part in the study were classified as risks, meaning their actions were a serious security threat to their organization. Awareness of the common identifiers of phishing emails was particularly poor, with 24% of physicians displaying a lack of understanding of phishing, compared with 8% of office workers and non-provider counterparts.

One of the main areas where security awareness was lacking was the identification of the common signs of a malware infection. 24% of healthcare employees had difficulty identifying the signs of a malware infection compared to 12% of the general population.

Healthcare employees scored worse than the general population in eight areas assessed by MediaPro: Incident reporting, identifying personal information, physical security, identifying phishing attempts, identifying the signs of malware infections, working remotely, cloud computing, and acceptable use of social media.

MediaPro points out that the 2017 Data Breach Investigations Report from Verizon showed human error accounted for more than 80% of healthcare data breaches last year, emphasizing the need for improved security awareness training for healthcare employees. Further, cybercriminals have been increasing their efforts to gain access to healthcare networks and sensitive patient information.

“The results of our survey show that more work needs to be done,” MediaPro explains in the report. “HIPAA courses often do not include information on how to stay cyber-secure in an increasingly interconnected world. Keeping within HIPAA regulations, while vital, does not educate users on how to spot a phishing attack, for example.”

If the security awareness of healthcare employees is not improved, the healthcare industry is likely to continue to be plagued by data breaches, irrespective of the level of maturity of their security defenses.

The post Healthcare Industry Scores Poorly on Employee Security Awareness appeared first on HIPAA Journal.