The HIPAA Journal Editorials

Security Breaches in Healthcare in 2023

An unwanted record was set in 2023 with 725 large security breaches in healthcare reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), beating the record of 720 healthcare security breaches set the previous year. Aside from 2015, the number of reported security breaches in healthcare has increased every year although the rate of increase is slowing and 2024 could see the healthcare industry start to turn the corner.

As the chart shows, healthcare security breaches are occurring twice as often as in 2017/2018, with two large healthcare data breaches reported each day on average in 2023. Just a few years ago it was alarming that large healthcare data security breaches were being reported at a rate of one a day. Little did we know how bad the situation would get in such a short space of time.

The healthcare industry is struggling to deal with increasingly sophisticated cyberattacks, although in many incidents cyber threat actors have exploited vulnerabilities that should have been identified and addressed long before they were found and exploited by hackers. Many healthcare organizations are failing at basic security measures and are not consistently adhering to cybersecurity best practices due to budgetary pressures, difficulty recruiting and retaining skilled IT security professionals, and confusion about the most effective steps to take to improve resilience to cyber threats.

With healthcare data breaches increasing year-over-year, something needs to be done to help healthcare organizations improve resilience to cyber threats and action is now being taken at the state and federal levels. In December 2023, the HHS published a concept paper outlining plans to improve resilience to cyber threats across the sector and limit the severity of attacks when defenses are breached. In the paper, the HHS indicated it will be adopting a carrot-and-stick approach by developing voluntary Healthcare and Public Health (HPH) Sector Cybersecurity Goals (CPGs) that consist of cybersecurity measures that will have the greatest impact on security along with an update to the HIPAA Security Rule to add new cybersecurity requirements.

In January 2024, the CPGs were unveiled. They consist of Essential CPGs, which are high-impact, low-cost steps that healthcare organizations can take to improve cybersecurity, and a set of Enhanced CPGs to help healthcare organizations mature their cybersecurity programs. The HHS also hopes to obtain the necessary funding to help low-resourced healthcare delivery organizations cover the initial cost of the cybersecurity improvements in the Essential CPGs and to create an incentive scheme to encourage the adoption of the Enhanced CPGs.

In response to an alarming increase in cyberattacks on New York hospitals, New York Governor Kathy Hochul announced new cybersecurity measures had been proposed for New York hospitals, which are expected to be finalized in the first half of 2024. Hospitals in the state will be given a 1-year grace period to comply with the new requirements and funding has been set aside to help them cover the cost of making the necessary improvements.

It is not just the increasing number of data breaches that is a cause of concern it is the scale of these data breaches. 2023 was the worst-ever year for breached healthcare records with breached records increasing by 156% from 2022 to 133,068,542 breached records, beating the previous record of 113 million records set in 2015. In 2023, an average of 373,788 healthcare records were breached every day.

healthcare security breaches 2009-2023- records compromised

The total of 133 million records is also likely to significantly increase. To meet the breach reporting requirements of the HIPAA Breach Notification Rule, OCR must be notified within 60 days of the discovery of a data breach. When that deadline is near and breached organizations have not yet completed their document reviews to find out how many individuals have had their protected health information (PHI) exposed, breaches are reported to OCR using a placeholder of 500 or 501 records. The breached entity can then amend its OCR breach report when the number of affected individuals has been confirmed. Currently, 54 data breaches in 2023 are listed on the OCR breach portal as affecting 500 or 501 individuals. Some of these incidents have been reported by large healthcare providers, health plans, and business associates, so some of those breaches could involve hundreds of thousands or even millions of records.

Biggest Healthcare Security Breaches in 2023

Since several large healthcare organizations and major vendors have yet to confirm how many individuals have been affected by data breaches, the list of the biggest healthcare data breaches in 2023 is subject to change. Based on current figures, 114 data breaches of 100,000 or more records were reported in 2023, including 26 data breaches of more than 1 million records, 5 data breaches of more than 5 million records, and one breach of 11.27 million records. The average data breach size in 2023 was 183,543 records and the median data breach size was 5,175 records.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Data Breach
HCA Healthcare TN Business Associate 11,270,000 Hackers accessed an external storage location that was used to automatically format emails
Perry Johnson & Associates, Inc., which does business as PJ&A NV Business Associate 8,952,212 Hackers access to its network between March 27, 2023, and May 2, 2023
Managed Care of North America (MCNA) GA Business Associate 8,861,076 Ransomware attack with data leak (LockBit ransomware group)
Welltok, Inc. CO Business Associate 8,493,379 MOVEit Transfer vulnerability exploited (Clop hacking group)
PharMerica Corporation KY Healthcare Provider 5,815,591 Ransomware attack with data leak (Money Message ransomware group)
HealthEC LLC NJ Business Associate 4,452,782 Hackers had access to its network between July 14, 2023, and July 23, 2023
Reventics, LLC FL Business Associate 4,212,823 Ransomware attack with data leak (Royal ransomware group)
Colorado Department of Health Care Policy & Financing CO Health Plan 4,091,794 MOVEit Transfer vulnerability exploited at a vendor (Clop hacking group)
Regal Medical Group, Lakeside Medical Organization, ADOC Acquisition, & Greater Covina Medical Group CA Healthcare Provider 3,388,856 Ransomware attack with data leak (Unspecified, Russia-based ransomware group)
CareSource OH Business Associate 3,180,537 MOVEit Transfer vulnerability exploited (Clop hacking group)
Cerebral, Inc DE Business Associate 3,179,835 Impermissible disclosure of PHI via Pixel tracking code on its website
NationsBenefits Holdings, LLC FL Business Associate 3,037,303 Fortra GoAnywhere MFT vulnerability exploited (Clop hacking group)
Maximus, Inc. VA Business Associate 2,781,617 MOVEit Transfer vulnerability exploited (Clop hacking group)
ESO Solutions, Inc. TX Business Associate 2,700,000 Ransomware attack (ransomware group unknown)
Harvard Pilgrim Health Care MA Health Plan 2,624,191 Ransomware attack (ransomware group unknown)
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Ransomware attack (ransomware group unknown)
Florida Health Sciences Center, Inc. dba Tampa General Hospital FL Healthcare Provider 2,430,920 Ransomware attack (Snatch and Nokoyawa groups claimed credit)
Postmeds, Inc. CA Healthcare Provider 2,364,359 Hackers hack access to its network between August 30, 2023, and September 1, 2023
Centers for Medicare & Medicaid Services MD Health Plan 2,342,357 MOVEit Transfer vulnerability exploited at Maximus Inc. (Clop hacking group)
Arietis Health, LLC FL Business Associate 1,975,066 MOVEit Transfer vulnerability exploited (Clop hacking group)
Pension Benefit Information, LLC MN Business Associate 1,866,694 MOVEit Transfer vulnerability exploited (Clop hacking group)
Performance Health Technology OR Business Associate 1,752,076 MOVEit Transfer vulnerability exploited (Clop hacking group)
Prospect Medical Holdings, Inc. CA Business Associate 1,309,096 Ransomware attack and data leak (Rhysida group unknown)
PurFoods, LLC IA Healthcare Provider 1,229,333 Hackers had access to its network between January 16, 2023, and February 22, 2023
Virginia Dept. of Medical Assistance Services VA Health Plan 1,229,333 Hacking incident – details unknown
Nuance Communications, Inc. MA Business Associate 1,225,054 MOVEit Transfer vulnerability exploited (Clop hacking group)

Causes of Cybersecurity Breaches in Healthcare in 2023

There has been a leveling off of security breaches in healthcare in the last three years after a sharp increase in hacking incidents between 2018 and 2021, with only a 0.69% year-over-year increase in large data breaches. The year included two major mass hacking incidents by the Clop hacking group that affected many healthcare organizations. Clop-linked threat actors exploited zero-day vulnerabilities in two file transfer solutions – Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer. The first of these mass hacking incidents occurred in January with the group exploiting a remote code execution flaw – CVE-2023-0669 – in GoAnywhere MFT to attack almost 130 organizations, including healthcare organizations and business associates.

The second mass hacking incident occurred in May and was far more extensive. A zero-day vulnerability was exploited in MOVEit Transfer and more than 2,470 organizations had data stolen from their MOVEit servers. Across those incidents, the data of more than 94 million individuals was stolen. Many healthcare providers and business associates were affected, and the top three worst affected companies were HIPAA-regulated entities – Maximus, Welltok, and Delta Dental of California and Affiliates.

As the graph below shows, hacking incidents continue to dominate the breach reports with almost four times as many hacking incidents reported in 2023 than all other breach causes combined. 578 of the year’s 725 breaches were due to hacking and other IT incidents. The sharp rise in hacking incidents in 2018 is linked to the widespread use of ransomware and the proliferation of ransomware-as-a-service (RaaS) groups, which allowed attacks to be conducted at scale by recruiting affiliates to breach networks and receive a cut of any ransoms generated.

Causes of healthcare security breaches

Data from the ransomware remediation firm Coveware shows ransomware attacks are becoming much less profitable, with fewer victims choosing to pay the ransom. In Q4, 2023, 29% of ransomware victims paid the ransom compared to 85% at the start of 2019.  In these attacks, ransomware groups steal vast amounts of sensitive data. If the ransom is not paid, the data is leaked or sold to other threat actors and is used for a multitude of nefarious purposes, but it is ransom payments that are the main source of income for these groups, and with fewer ransoms being paid, ransomware actors need to conduct more attacks to maintain their incomes.

The number of healthcare records stolen in hacking incidents has increased sharply in recent years. In 2023, more than 124 million records were compromised in healthcare hacking incidents which is 93.5% of the year’s total number of breached records. On average, 215,269 healthcare records were stolen in each hacking incident (median 73,623 records). The scale of some of these hacking incidents emphasizes the need for network segmentation to limit the data that can be accessed if networks are breached, and the importance of implementing a zero trust architecture. Zero trust assumes that adversaries have already breached ‘perimeter’ defenses and requires verification and validation of every stage of a digital interaction.

healthcare security breaches - records compromised

Aside from hacking incidents, there are several other types of security breaches in healthcare. There was a 10.4% increase in unauthorized access and disclosure incidents in 2023 and a 13.6% increase in impermissibly accessed or disclosed records. 127 Unauthorized access/disclosure incidents were reported in 2023 and 8,598,916 records were accessed or disclosed across those incidents. These HIPAA breaches may be smaller than the hacking incidents, averaging 67,708 records per incident (median 1,809 records), but they can be just as harmful.

Improper disposal incidents have remained consistently low over the past 5 years (5 incidents in 2023) apart from a spike during the pandemic in 2020, and there has been a marked decline in loss/theft incidents, of which there were only 15 incidents reported in 2023 – the lowest total of any year to date. The fall in these incidents can be explained by the widespread use of encryption on portable electronic devices and the migration of data to the cloud.

Given the high percentage of hacking incidents, the most common locations of breached PHI – network servers – should come as no surprise. In 2023, 69.8% of large data breaches involved network servers (506 incidents). Email was the next most common location of compromised PHI, accounting for 18.3% of breaches (133 incidents). While multifactor authentication does not provide complete protection against email account breaches, widespread adoption of phishing-resistant multifactor authentication will see email data breaches reduce dramatically. Multifactor authentication is one of the Essential HPH CPGs and one of the most important security measures to implement in 2024.

healthcare security breaches in 2023 - location of breached data

Healthcare Security Breaches at HIPAA-Regulated Entities

The HIPAA Breach Notification Rule requires all breaches of protected health information to be reported to OCR and individual notifications to be sent to the affected individuals within 60 days of the discovery of a data breach. When a data breach occurs at a business associate of a HIPAA-covered entity, the entity that reports the breach will be dictated by the terms of the business associate agreement. Business associates often self-report their data breaches to OCR, but their covered entities may choose to report the breach themselves, or a combination of the two. For instance, Maximus Inc. disclosed in an SEC filing that the data of between 8 million and 11 million individuals was compromised in its MOVEit Transfer hacking incident, but Maximus reported the breach to OCR as affecting 2,781,617 individuals. Several clients chose to report the breach themselves.

The OCR breach data shows data breaches by the reporting entity, and as such, using that data for analyses means business associate data breaches will be underrepresented. In the table below we show data breaches by reporting entity and the charts reflect where the breach actually occurred.

Healthcare Security Breaches in 2023 – Reporting Entity

Entity Type Data Breaches Records Breached Average Breach Size
Healthcare Provider 450 39,925,448 88,723
Business Associate 170 77,347,471 454,985
Health Plan 103 15,792,548 153,326
Healthcare Clearinghouse 2 3,075 1,538

Healthcare Security Breaches in 2023 – Location of Data Breach

The adjusted data shows healthcare providers suffered the most data breaches; however, data breaches at business associates were more severe, with more than 2.5 times as many records breached at business associates than at healthcare providers. The average size of a data breach at a healthcare provider was 89,983 records (median 5,354 records) whereas the average breach at a business associate was 338,394 records (median 5,314 records). 11 of the top 15 security breaches in healthcare in 2023 occurred at business associates of HIPAA-covered entities.

Securing the supply chain is one of the biggest cybersecurity challenges in healthcare. Healthcare organizations often outsource certain functions to specialist vendors and health systems often rely on dozens, if not hundreds, of different vendors, many of which require access to protected health information and every vendor used introduces risk. Healthcare organizations need to conduct due diligence on their vendors, including assessing their security controls. Before onboarding any new vendor it must be made abundantly clear what the business associate’s responsibilities are with respect to HIPAA, data security, and breach reporting.

Strengthening the security of the supply chain is labor-intensive and costly, and many healthcare organizations lack the appropriate resources to devote to vendor risk management, but vendor risk management failures can have significant ramifications. An inventory should be maintained on all vendors, including details of the business associate agreements, and data provided to each.  A risk assessment should be conducted before onboarding any vendor including an assessment of their security posture. If a vendor fails to meet the necessary cybersecurity requirements, then they should not be used. If there is no suitable alternative, then controls should be put in place to manage risk and reduce it to a low and acceptable level. While vendors may confirm that they have implemented reasonable and appropriate safeguards and data security policies and procedures, there are no guarantees that those policies and procedures will be followed and cybersecurity standards maintained. Conducting assessments of vendor security at intake is not sufficient. There should be ongoing reviews and audits of vendors and suppliers. If an organization lacks the personnel to handle this in-house, then third-party consultants should be engaged to assist with these processes. Third-party risk management requirements are included in both the Essential and Enhanced CPGs announced by the HHS in January 2024.

HIPAA Security Breaches Reported in All 50 States

No U.S. state was able to avoid a healthcare security breach in 2023. Data breaches of 500 or more records were reported in all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. The states that experienced the most data breaches are the most heavily populated and have the highest number of HIPAA-regulated entities.

State Number of Data Breaches
California 80
New York 63
Texas 58
Pennsylvania 40
Massachusetts 39
Illinois 36
Florida 33
Georgia & New Jersey 21
Arizona & Minnesota 17
Connecticut, Maryland, Michigan & Ohio 16
Indiana, North Carolina & Tennessee 15
Virginia 14
Iowa 13
Kansas & Oregon 12
Washington 11
Kentucky, Missouri, Mississippi & Wisconsin 10
Colorado 9
Alabama 8
Utah 7
Arkansas, Oklahoma, and South Carolina 6
Alaska 5
Idaho, Louisiana, Maine, North Dakota & West Virginia 4
Delaware & New Mexico 3
Montana, Nebraska, New Hampshire & Nevada 2
Hawaii, Rhode Island, South Dakota, Vermont, Wyoming, District of Columbia, Puerto Rico & the U.S. Virgin Islands 1

HIPAA Enforcement Activity in 2023

In 2023, OCR announced 13 settlements with HIPAA-regulated entities to resolve allegations of HIPAA violations, a 40.9% reduction from the previous year. These investigations stemmed from reviews of HIPAA compliance in response to reported data breaches and investigations of complaints from patients and health plan members about potential HIPAA violations. While the number of financial penalties fell, the funds raised from OCR enforcement actions increased from $2,124,140 in 2022 to $4,176,500 in 2023.

Since 2019, the majority of penalties imposed by OCR resolved alleged violations of the HIPAA Right of Access. The HIPAA Right of Access requires individuals to be provided with a copy of their health records, on request, within 30 days of that request being received and they should only be charged a reasonable, cost-based fee for exercising that right if they are charged at all. Since OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019, 46 penalties have been imposed for HIPAA Right of Access violations, 4 of which were in 2023. This is a significant reduction from the 17 HIPAA Right of Access fines imposed in 2022.

Penalties were imposed for other HIPAA Privacy Rule violations in 2023, including one penalty for a lack of policies and procedures relating to access to PHI by employees and one penalty for the failure to obtain authorization from patients before disclosing their PHI to a reporter. Following the overturning of the penalty imposed on the University of Texas MD Anderson Cancer Center in 2018, OCR appears to have been reluctant to pursue financial penalties for Security Rule violations in all but the most egregious cases. In 2023, OCR imposed seven penalties to resolve potential violations of the HIPAA Security Rule.

Violations of several HIPAA Security Rule provisions were cited in these enforcement actions, with t6 of the 7 enforcement actions involving risk analysis failures. Another common violation was the failure to maintain and review logs of activity in information systems containing ePHI to identify unauthorized access. One of the penalties stemmed from a report of snooping on medical records by security guards, with OCR determining there was a failure to implement policies and procedures relating to HIPAA Security Rule compliance and a lack of HIPAA Privacy Rule training.

OCR Enforcement Actions in 2023 Resulting in Financial Penalties

HIPAA-Regulated Entity Penalty Amount Penalty Type Individuals Affected Reason for Penalty
LA Care Health Plan $1,300,000 Settlement 1,498 Risk analysis failure, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, and impermissible disclosure of PHI
Banner Health $1,250,000 Settlement 2.81 million Risk analysis failure, lack of reviews of information system activity, lack of verification of identity for access to PHI, and a lack of technical safeguards
Lafourche Medical Group $480,000 Settlement 34,862 No risk analysis prior to the 2021 phishing incident, and no procedures to regularly review logs of system activity prior to the incident
MedEvolve Inc. $350,000 Settlement 230,572 Risk analysis failure, lack of a business associate agreement, and an impermissible disclosure of PHI
Yakima Valley Memorial Hospital $240,000 Settlement 419 Lack of HIPAA Security Rule policies and procedures
Optum Medical Care $160,000 Settlement 6 Failure to provide individuals with timely access to their medical records
Doctors’ Management Services $100,000 Settlement 206,695 Risk analysis failure, lack of reviews of records of system activity, lack of policies/procedures to comply with the HIPAA Security Rule, and impermissible disclosure of PHI
UnitedHealthcare $80,000 Settlement 1 Failure to provide an individual with timely access to their medical records
St. Joseph’s Medical Center $80,000

 

Settlement 3 Disclosure of the PHI of patients to a reporter and a lack of HIPAA Privacy Rule training
iHealth Solutions (Advantum Health) $75,000

 

Settlement 267 Risk analysis failure and an impermissible disclosure of PHI
Manasa Health Center, LLC $30,000

 

Settlement 4 Impermissible PHI disclosure in response to online review
Life Hope Labs, LLC $16,500 Settlement 1 Failure to provide an individual with timely access to their medical records
David Mente, MA, LPC $15,000 Settlement 1 Failure to provide an individual with timely access to their medical records

Attorney General Penalties for HIPAA Violations in 2023

The was a major increase in enforcement actions by state attorneys general in 2023 in response to security breaches in healthcare, with 15 settlements reached with HIPAA-regulated entities to resolve violations of HIPAA and state consumer protection laws. In 2022 there were only three settlements with attorneys general to resolve HIPAA violations, four in 2021, and three in 2019. The majority of the penalties imposed in 2023 by state attorneys general resolved violations of the HIPAA Security Rule that were uncovered during data breach investigations. The majority of these cases involved a lack of reasonable and appropriate security measures such as multifactor authentication, access controls, encryption, security testing, data logging and monitoring, data retention, and up-to-date asset inventories.

Four settlements in 2023 came from multi-state actions. Since the entities concerned operated in multiple states, attorneys general pooled their resources and conducted joint investigations. The largest penalty of the year was imposed on Blackbaud and resolved multiple violations of the HIPAA Security Rule that contributed to a breach of the personal and protected health information of 5.5 million individuals. State attorneys general in Oregon, New Jersey, Florida & Pennsylvania joined forces in an investigation of a 2.1 million-record data breach at EyeMed Vision Care, and Pennsylvania & Ohio conducted a joint investigation of DNA Diagnostics Center over a 45,600-record data breach, both of which uncovered multiple HIPAA Security Rule failures.

32 states and Puerto Rico participated in an investigation of the Puerto Rican healthcare clearinghouse, practice management software, and electronic medical record provider Inmediata. HIPAA Security Rule failures were identified that led to a breach of the protected health information of more than 1.5 million individuals, followed by violations of the HIPAA Breach Notification Rule. California imposed a massive penalty on Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals. The case was resolved for $49 million and related to the improper disposal of PHI and hazardous waste, with the bulk of the settlement amount concerned with the latter.

State Attorney General HIPAA-Regulated Entity Penalty Amount Penalty Type Individuals Affected Reason for Penalty
49 States and the District of Columbia Blackbaud $49,500,000 Settlement 5,500,000 Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state consumer protection laws
California Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49,000,000 Settlement 7,700 Violations of HIPAA for the improper disposal of PHI and violations of several state laws for the improper disposal of hazardous waste
Oregon, New Jersey, Florida & Pennsylvania EyeMed Vision Care $2,500,000 Settlement 2.1 million Lack of administrative, technical, and physical safeguards, and access control failures – use of the same password by several employees.
32 States and Puerto Rico Inmediata $1,400,000 Settlement 1,565,338 Failure to implement appropriate safeguards to ensure data security, failure to conduct a secure code review, and data breach notification failures
New York Practicefirst $550,000 Settlement 1.2 million Patch management failure, lack of encryption, and a lack of security testing.
New York U.S. Radiology Specialists Inc. $450,000 Settlement 198,260, including 92,540 New York residents Failure to upgrade hardware to address a known vulnerability
California Kaiser Permanente $450,000 Settlement Up to 167,095 individuals Mailing error that resulted in an impermissible disclosure of PHI, failure to promptly halt mailings when there was a known error and negligent maintenance or disposal of medical information
New York Healthplex $400,000 Settlement 89,955 (62,922 New York residents) Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
New York Personal Touch Holding Corp dba Personal Touch Home Care $350,000 Settlement 753,107 (316,845 New York residents) Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training
New York New York Presbyterian Hospital $300,000 Settlement 54,396 Violations of the HIPAA Privacy Rule and New York Executive Law due to the use of pixels on its website that transmitted PHI to third parties
Indiana Schneck Medical Center $250,000 Settlement 89,707 Failure to address known vulnerabilities in a timely manner and breach notification failures.
New York Heidell, Pittoni, Murphy & Bach LLP $200,000 Settlement 61,438 New York residents Widespread non-compliance with the HIPAA Security Rule – 17 HIPAA violations
Pennsylvania & Ohio DNA Diagnostics Center $400,000 Settlement 45,600 Lack of safeguards to detect and prevent unauthorized access, failure to update asset inventory, and disable/remove assets that were not used for business purposes.
Indiana CarePointe ENT $125,000 Settlement 48,742 Failure to correct known security issues in a reasonable time frame, lack of business associate agreement
Colorado Broomfield Skilled Nursing and Rehabilitation Center $60,000 ($25,000 suspended) Settlement 677 Violations of HIPAA data encryption requirements, violation of state data protection laws, and deceptive trading practices.

Outlook for 2024

It has been a particularly bad year for security breaches in healthcare with hacking incidents continuing to increase in number as well as severity. Cyber actors will continue to target the healthcare industry and with fewer victims paying ransoms, these attacks may even increase as ransomware actors attempt to maintain their incomes. In 2023 we saw increasingly aggressive tactics by ransomware groups including swatting attacks on patients when their healthcare provider refused to pay the ransom and these aggressive tactics look set to continue.

To reduce security breaches in healthcare, more must be done than achieving the minimum cybersecurity standards of the HIPAA Security Rule. If all healthcare organizations implemented the recently announced HHS Essential Cybersecurity Goals, there would be a marked reduction in healthcare cybersecurity breaches in 2024. In practice that will be difficult for many healthcare organizations due to limited budgets and a chronic shortage of skilled cybersecurity professionals; however, the HHS plans to make funding available to help cover the initial cost of security improvements and establish an incentive program for adopting the Enhanced Security Goals. These measures will go a long way toward raising the baseline level of cybersecurity in the healthcare industry and improving resilience to cyber threats.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Security Breaches in Healthcare in 2023 appeared first on HIPAA Journal.

State Of HIPAA – 2024 Predictions

It has been 28 years since President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law – and 22 years since the first of the Administrative Simplification Rules became effective – but HIPAA compliance is still proving a challenge for many HIPAA-regulated entities. This article explores the current state of HIPAA and some of the main aspects of the HIPAA Rules that are proving difficult for HIPAA-regulated entities.

Predictions for 2024

  • OCR will increase enforcement actions for violations of the HIPAA Security Rule that have contributed to data breaches and HIPAA Breach Notification Rule violations for failing to issue timely notifications to individuals whose PHI has been compromised in data breaches. 2024 will see record numbers of settlements and civil monetary penalties.
  • The HIPAA Right of Access will continue to be an enforcement priority for OCR – This is low-hanging fruit. The investigations are straightforward and require few OCR resources and the findings of investigations are unlikely to face legal challenges.
  • OCR is planning a HIPAA Security Rule update in Spring 2023 which we predict will include several new mandatory requirements for cybersecurity, including stricter access control requirements such as mandatory multi-factor authentication.
  • A new rule will be introduced regarding disclosures of reproductive health information, which will be prohibited for reasons other than treatment, payment, and healthcare operations and for PHI to be used for identifying, investigating, and prosecuting patients, providers, and others involved in the provision of legal reproductive health care services, in response to the overturning of Roe v. Wade
  • The lawsuit filed by the AHA in response to OCR’s December 2022 guidance on tracking technologies makes strong arguments that OCR has stretched the definition of protected health information to more than the current statute can bear. Should that challenge not prove to be successful, 2024 will see the first enforcement action over the use of tracking technologies on hospital websites. If the lawsuit is successful, further rulemaking will be proposed regarding tracking technologies to ensure patient privacy.
  • The HHS’ Centers for Medicare and Medicaid Services (CMS) will introduce new cybersecurity requirements as a condition for participation in the Medicare and Medicaid programs
  • State Attorneys General will step up enforcement of HIPAA compliance and will impose more financial penalties against healthcare organizations that have failed to meet minimum standards for cybersecurity.

HIPAA Enforcement in 2023

The HHS’ Office for Civil Rights (OCR) has been enforcing HIPAA compliance more aggressively in recent years and 2022 was a record year, with 22 penalties imposed to resolve violations of the HIPAA Rules. 17 of the 22 financial penalties imposed in 2022 resolved violations of the HIPAA Right of Access – the failure to provide individuals with timely access to their medical records. OCR’s HIPAA Right of Access enforcement initiative appears to have worked. In 2023, OCR only imposed 4 penalties for HIPAA Right of Access violations. The other 9 penalties were imposed for HIPAA Security Rule failures – risk analysis, technical and administrative safeguards, reviews of information system activity, and verification of identity – and other HIPAA Privacy Rule failures – disclosures of PHI in response to online reviews, disclosures of PHI to reporters, and a lack of policies and procedures/training to prevent HIPAA violations by employees.

OCR has faced challenges with HIPAA enforcement due to a significant increase in its workload in recent years while its budget has remained flat. OCR investigates all data breaches of 500 or more records, and data breaches have been increasing at an alarming rate. OCR explained in its annual report to Congress that since fiscal year 2017, OCR has received a 100% increase in large breach reports, largely driven by an increase in hacking incidents, especially ransomware attacks. In 2021, 75% of breaches of 500 or more records were due to hacking compared to 41.6% of data breaches in 2017, and the problem is getting worse. In 2023, 79.7% of the year’s 725 data breaches were due to hacking.

Between 2017 and 2021, OCR also saw a 28% increase in complaints about potential HIPAA violations, which also need to be investigated. OCR’s hands are somewhat tied as funding has remained flat for years and OCR is also having to cope with inflationary increases. OCR explained in its 2022 report to Congress that it has been forced to decrease its enforcement staff by 45%, and with its resources under incredible strain, that naturally has an impact on the speed of investigations and the number of cases where financial penalties can be pursued.

OCR can increase funding through its enforcement actions, but despite OCR more than doubling the number of settlements and civil monetary penalties (CMPs) in 2022 compared to 2017-2019 levels, OCR had a 92.6% reduction in total penalties compared to 2018, falling from $28.7 million in 2018 to just $2.13 million in 2022 and $4.18 million in 2023.  The average HIPAA penalty has fallen from $2.6 million in 2018 (median: $500,000) to just $321,269 in 2023 (median: $100,000). The decrease in penalties is due to a reinterpretation of the language of the HITECH Act, which has seen the maximum penalties for HIPAA violations reduced in three of the four penalty tiers. OCR has asked Congress to increase the maximum penalties for HIPAA violations and is constantly pushing to have its budget increased, but there are no indications at present that additional funding will be provided.

The budgetary pressures have forced OCR to look at other ways of increasing funding such as improving efficiency and productivity through restructuring and getting better use of its existing resources. In 2023, OCR restructured and created a new enforcement division, which it is hoped will allow OCR to investigate data breaches faster, clear the current backlog of investigations, and impose more financial penalties. In 2024 we should start to see results from that restructuring. Time will tell how effective that move has been.

OCR Director, Melanie Fontes Rainer, has confirmed that OCR’s HIPAA Right of Access enforcement initiative is continuing and OCR is making compliance with HIPAA with respect to reproductive healthcare information an enforcement priority, as well as HIPAA Security Rule compliance to protect against the increasing numbers of hacking incidents.

State attorneys general also enforce the HIPAA Rules and in 2023, 16 investigations resulted in settlements to resolve allegations of violations of HIPAA and state privacy laws. State attorneys general in California, Colorado, Florida, Indiana, New York, New Jersey, Ohio, Oregon, and Pennsylvania have taken action against HIPAA-regulated entities for security failures that have led to data breaches, and there were three multi-state actions, including a $49.5 million settlement with Blackbaud to resolve violations of HIPAA and state laws that led to its 5.5 million record data breach.

One of the latest actions, taken against Refuah Health Center Inc. by the New York Attorney General involved a $450,000 financial penalty to resolve multiple violations of the HIPAA Security Rule. The settlement also included the requirement for $1.2 million to be invested in improving cybersecurity. This could become common in enforcement actions as a way of helping to ensure that similar breaches do not occur in the future.

The State of HIPAA Compliance

OCR has conducted two rounds of compliance audits to assess the state of HIPAA compliance since the HIPAA Privacy and Security Rules were enacted. The second phase of HIPAA audits was launched in 2016, and while OCR has announced its intention to conduct an ongoing program of compliance audits, they have failed to materialize due to budget constraints and it is unlikely that those plans will be resurrected until OCR’s funding issues have been resolved. The 2016-2017 HIPAA audit program identified many areas of noncompliance. Most covered entities were found to have failed to have achieved compliance in the following areas:

  • HIPAA Security Rule risk analysis and risk management requirements
  • Timely breach notifications and adequate content of breach notifications
  • Prominent posts of Notices of Privacy Practices on websites and insufficient content of those notices
  • Timely responses to individuals’ right of access requests and charges for copies of medical records

It has been 6 years since the second phase of the compliance audits came to an end and many of the compliance issues identified by OCR continue to pose problems for HIPAA-regulated entities, as can be seen in OCR’s enforcement actions, which give an indication of the current state of HIPAA compliance.

Most Common HIPAA Violations in OCR’s Enforcement Actions (2020-2023)

HIPAA Violation Number of Cases
HIPAA right of access 45
Risk analysis 13
Reviews of system activity 5
Risk management 4
Notice of Privacy Practices 4
Audit controls 3
Business associate agreements 3
Appointment of a HIPAA Privacy Officer 2
Impermissible disclosure on social media/Internet 3
Lack of technical safeguards 3
Technical and nontechnical evaluation 3
HIPAA Privacy Rule policies 2

Top HIPAA Security Rule Compliance Challenges in 2023

Complying with all HIPAA provisions and implementation specifications can be a challenge, especially for smaller healthcare providers and business associates who do not have extensive resources available to devote to HIPAA compliance. While there are many aspects of the HIPAA Security Rule that can prove challenging, there are some common areas of vulnerability that are identified time and again in OCR’s investigations.

Risk Analyses

The HIPAA Security Rule mandates that regulated entities must conduct comprehensive and accurate organization-wide risk analyses to identify risks and vulnerabilities to electronic protected health information (ePHI). The risk analysis process needs to be ongoing, and the best practice is to conduct these at least annually or as needed, such as following any material change to policies and procedures or changes in technology. The risk analysis must be comprehensive, which means an organization must identify all ePHI within the organization, external ePHI created received, or maintained by business associates, and all threats to that information must be identified, including human, natural, and environmental threats to ePHI and the systems on which the information is stored. The HHS has developed a Security Risk Assessment Tool to help regulated entities with this vital process.

Risk Management Processes

Once risks and vulnerabilities have been identified they must be subjected to risk management processes and be reduced to a low and acceptable level in a timely manner. Risks must be assessed and remediations prioritized to ensure the risks that are most likely to be exploited are addressed first. Risk management processes also need to be extended to third parties – business associates – which means performing due diligence on vendors throughout the supply chain and implementing processes to identify, assess, and manage vendor risk at each stage of the vendor life cycle – onboarding, ongoing, and offboarding. Reducing risk exposure from vendor relationships is one of the biggest security challenges in healthcare in 2024 and a pressing issue, as hackers are actively targeting the supply chain.

Technical Security Controls

The HIPAA Security Rule does not specify the technical controls that should be implemented to secure systems containing ePHI, as these need to be based on the specific IT architectures of each regulated entity. It is the responsibility of each regulated entity to ensure that appropriate security controls are implemented and that they are effective at reducing risk. Security controls need to be regularly subjected to security assessments to make sure they have been implemented correctly, are operating as intended, and are achieving the desired outcome. HIPAA-regulated entities should conduct vulnerability scans and consider penetration testing to gain a better understanding of vulnerabilities to allow them to be properly managed.

Audit Controls and Information System Activity Reviews

All IT systems that contact ePHI must have audit controls and create logs of system activity and information system activity reviews should be conducted on audit logs, access reports, and security incident tracking reports. Despite information system activity reviews being a requirement of the HIPAA Security Rule, OCR’s investigations have revealed many organizations only conduct reviews on an ad-hoc basis in response to potential security incidents. Regular reviews allow HIPAA-regulated entities to rapidly identify unauthorized access to ePHI by malicious insiders and hackers. All too often, regulated entities discover unauthorized access by insiders and hackers, which has been ongoing for many months or years.

Access Controls

Technical policies and procedures need to be developed, implemented, and maintained for all electronic information systems that contain or allow access to ePHI to only allow access to persons or software programs that have been granted access rights per the organization’s access management policies and procedures. Access controls need to be based on the principle of least privilege, and access must be promptly revoked when individuals leave employment or no longer require access to ePHI. Ineffective access controls can be exploited by malicious actors to move laterally within networks and gain access to huge volumes of ePHI.

Telehealth Services

In response to the pandemic, OCR introduced telehealth flexibilities to make it easier for HIPAA-regulated entities to provide virtual care to clients and exercised enforcement discretion with regard to the technologies that can be used to provide these services. Now that the COVID-19 Public Health Emergency has been declared over, that period of enforcement discretion is due to terminate. OCR’s notice of enforcement discretion for telehealth expired at 11:59 p.m. on May 11, 2023, but HIPAA-regulated entities were given a 90-day transition period that came to an end on August 9, 2023. Now, all telehealth platforms must be fully compliant with the HIPAA Security Rule.

Challenges with HIPAA Privacy Rule Compliance in 2024

There are several aspects of HIPAA Privacy Rule compliance that are likely to prove challenging for HIPAA-regulated entities in 2024 and OCR has confirmed that these HIPAA Privacy Rule issues are still or will be enforcement priorities in 2023 and beyond.

Timely Access to Medical Records

The 2016 HIPAA compliance audits identified widespread noncompliance with the HIPAA Right of Access and increasing numbers of complaints were being received from individuals struggling to obtain copies of their medical records. OCR launched a new compliance initiative in 2019 targeting noncompliance with the HIPAA Right of Access, and the bulk of OCR’s subsequent enforcement actions to date have been for noncompliance with the HIPAA Right of Access. OCR is continuing with this enforcement initiative, and further, the proposed Privacy Rule changes that are expected to be finalized in 2024 will likely see the time frame for providing records decrease from 30 days to 15 days.

Tracking Technologies

In 2022, investigations into the use of tracking technologies on websites revealed the extent to which these third-party code snippets were being used by healthcare organizations. The code snippets collect valuable data on websites and web app user activity, which can be used to improve those services; however, the code can also collect identifiable health information and transmit that information to third parties. Those third parties typically do not sign business associate agreements, and using the code without a BAA in place or first obtaining consent from individuals to share that information is a HIPAA violation. OCR issued guidance on tracking technologies and HIPAA in December 2022 and the OCR Director has issued a statement confirming OCR will be enforcing this aspect of compliance. Many lawsuits have been filed against healthcare providers over privacy violations related to the use of tracking technologies, some of which have resulted in multi-million-dollar settlements. Whether there will be enforcement will hinge on the ruling in a lawsuit filed against the HHS by the AHA, which challenges the legality of its guidance and is attempting to prevent OCR from enforcing the guidance.

Disclosures of Reproductive Health Information

The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization removed the federal right to abortion, leaving it to individual states to decide on the legality of abortions in their respective states. As of January 2024, 14 states have implemented total bans on abortions, a further 2 have placed 6-week limits, and another 6 have implemented bans that are not yet being enforced due to legal challenges.

Fears exist that some anti-abortion states may attempt to take legal action against individuals who facilitate terminations in states where abortion is legal as well as prosecuting individuals who travel out of state to have abortions in more permissive states. OCR is concerned the threat of criminal activity may prevent some patients from sharing important health information with their healthcare providers. Consequently, OCR is proposing a new category of PHI for reproductive health information. If finalized, Covered Entities will only be allowed to disclose reproductive health information (other than for TPO purposes) to third parties who attest the disclosure will not be used to prosecute facilitators of terminations in states where abortions are legal. False attestations will be considered wrongful disclosures under §1177 of the Social Security Act.

Staff Training

The Verizon Data Breach Investigations Report highlighted the extent to which data breaches are caused by human error. Out of all data breaches analyzed by Verizon in 2022, 82% involved the human element. Those data breaches include misconfigurations, responses to phishing and social engineering attacks, failures to set strong passwords, and other mistakes. These mistakes often expose ePHI and make it easy for hackers to gain access to healthcare networks. The only way of tackling human error is through education. The HIPAA Privacy Rule requires regulated entities to provide training on HIPAA policies relevant to each individual’s role, while the HIPAA Security Rule requires a security awareness training program. In the case of the latter, increasing the frequency of training can help to create a security culture and eradicate bad security practices.

Looking Forward – Pending Changes to the HIPAA Rules

While updates to the HIPAA Rules are made fairly infrequently, there are pending changes to the HIPAA Privacy Rule, that are due to be finalized in 2024. OCR has also recently announced its intention to improve privacy protections for reproductive health information through new HIPAA rulemaking, and the HHS’ Centers for Medicare and Medicaid Services (CMS) has proposed updates to transaction code sets to enable the electronic transmission of healthcare attachment transactions. States are also introducing new laws to better protect the privacy of state residents and ensure they are notified in the event of privacy breaches. Staying up to date with changes to state laws and ensuring compliance will be an ongoing challenge.

In December 2023, OCR also published its Healthcare Cybersecurity Strategy which outlined its plans for improving the resiliency of the healthcare industry to cyberattacks. OCR said it will be establishing voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) and will be incentivizing healthcare organizations to adopt these goals. The priority is raising baseline cybersecurity across the healthcare sector by providing incentives to achieve essential HPH CPGs and encouraging the adoption of enhanced HPH CPGs. While HPH CPGs will be voluntary initially, OCR intends to make the essential HPH CPGs mandatory and enforceable. OCR is seeking additional funding for enforcement but also to help healthcare organizations make the necessary investments in cybersecurity and cover the initial costs.

OCR believes regulatory updates are required in addition to funding and voluntary goals to drive the behavioral changes needed across the sector and has confirmed that a much-needed update to the HIPAA Security Rule will be proposed in Spring 2024, which will include new cybersecurity requirements. Action is also being taken at the state level to improve healthcare cybersecurity. In response to a large increase in cyberattacks on hospitals in New York State, the New York Attorney General is proposing new cybersecurity requirements for New York hospitals and has also budgeted for assistance for hospitals that have limited resources to help them comply with the new regulations.

While the proposed HIPAA updates are intended to improve the privacy and security of personally identifiable information and reduce the administrative burden on HIPAA-regulated entities, they are a cause of concern for many HIPAA-regulated entities that will have to spend considerable time and effort implementing the changes and ensuring their employees are fully trained. The HHS will provide a grace period to allow the changes to be implemented before compliance becomes mandatory, but it is important to start updating policies and procedures as soon as possible to ensure compliance with these new requirements to ensure the deadlines are not missed.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post State Of HIPAA – 2024 Predictions appeared first on HIPAA Journal.