Per HITECH Act regulations, the US Department of Health & Human Services (HHS) publishes a rolling list of protected health information (PHI) breaches which affect more than 500 individuals on their Breach Portal, colloquially known as the “Wall of Shame.”
Amy Wood, Breach mitigation specialist and HIPAA educator of ACS Technologies LLC, says, “if you are not familiar with this site, you should be. It is extremely informative in understanding the trends in which OCR is focusing their attention.”
The maximum penalty for a single breach is $1.5 million per year. For one violation, fines can range from $100-$50,000 for each instance of wrongdoing.
Trending: Rural America’s next provider generation
High Level Trends
There were 418 HIPAA breaches reported in 2019. In total, 34.9 million Americans had their PHI compromised last year.
This represents roughly 10 percent of the US population in a single year of breaches.
When it came to the sheer number of individuals affected in 2019, network server breaches led the pack with 30.6 million individual’s PHI breached.
However, although more people were affected by a network breach, there were more breaching incidents with email. Network servers were breached 84 times (20 percent of breaches), while email was breached 161 times (39 percent of breaches).
This is why it is supremely important to make sure as a healthcare provider, you only send HIPAA compliant email to your patients.
2019 Breach Highlights (or Lowlights?)
Twenty-Five Million People Affected by One Business Associate Breach
A total of eighteen different healthcare providers were affected by the breach of a shared business associate, American Medical Collection Agency (AMCA), after its network server was hacked in August 2018.
There is often a delay from when a breach occurs to when it is discovered because oftentimes companies do not immediately realize that they have compromised their data. This means hackers can continue to access patient information for months or even years before they are stopped.
In the case of AMCA, the data breach went undetected for eight months, racking up HIPAA violations all the while.
In total 25 million people, 72 percent of the total number of individuals who had their information compromised last year, were affected by the AMCA breach.
As a result of the loss of business and cost of the breach, AMCA’s parent company filed for Chapter 11 bankruptcy.
The dubious title of “Largest Email Breach of 2019” goes to UConn Health. Over 325,000 people’s healthcare data was exposed due to a successful phishing attack. Not only does UConn face HHS fines, they are also embroiled in a class-action lawsuit with the victims.
According to the 2019 HIMSS Cybersecurity Survey, falling for a phishing email scam is the most common cause of HIPAA breaches (59 percent), followed by human error (25 percent),
Don’t Let This Happen to You
To avoid the fees and disgrace associated with a HIPAA breach, as a healthcare provider you must make provisions for protecting patient data, especially in its electronic form.
Be sure to encrypt all email, including email marketing, that you send to patients. Equally important is protecting your team against phishing attacks, which is a growing threat in the healthcare sector.
And be careful whom you do business with! You can be held accountable for your business associate’s mistakes. Make sure you only partner with companies that take security seriously.