TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

2015 Healthcare Data Breaches: Paper Tops Data Breach Location!

by Leave a Comment 

Many articles are circulating that slice and dice the data from the 2015 data breaches greater than 500 people impacted. The data comes from the infamous Department of Health and Human Services’ HIPAA “Wall of Shame.” The data being published puts a lot of emphasis on hacking and the impact that it has had on healthcare over the past year. There is no doubt, hacking did have a BIG impact on the data breaches of 2015; however, the data is slightly skewed due one data breach that impacted approximately 78 Million Individuals – The Anthem Data breach. In fact, three data breaches occurred due to hacking that skewed the image of what actually happened in 2015 with healthcare data breaches. A total of 113,208,516 individuals were impacted by 266 data breaches in healthcare in 2015. The Anthem data breach (78.8 Million individuals), the Excellus data breach (10 Million individuals), and the Premera Blue Cross (11 Million individuals) accounted for only 3 of the total data breaches but impacted 88% of total individuals whose data was breached. Definitely a significant happening in 2015; however, it is important to look at the data as a whole and understand there were outliers that significantly impacted what occurred in 2015 data breaches.

Looking at the data in several different ways can help shed some light on other important aspects of data breaches impacting greater than 500 individuals in healthcare during the year of 2015. While hacking is a significant impact on the amount of people in 2015, the category of Hacking/IT Incidents only accounted for 57 (21%) of the 266 data breaches that were reported on the Department of Health and Human Services HIPAA “Wall of Shame.” 

Based on the number of data breaches impacting over 500 individuals, what did actually occur in 2015 besides the large Anthem data breach that skewed the view of the data breaches in 2015? Here are some facts that may help paint an actual picture of what occurred in 2015.

• #1 Data Breach Type: Unauthorized Access/Disclosure – 38% of 2015 Data Breaches 

















• #1 Data Breach Location: Paper/Films – 27% of 2015 Data Breaches
















• #1 Data Breach by Covered Entity Type: Healthcare Providers – 73% of 2015 Data Breaches
BD By CE 2015















• Top Range of Number of Individuals Impacted: 1,000 – 9,999 Individuals Impacted – 53% of 2015 Data Breaches
DB by Individuals 2015

















Healthcare organizations need to understand it is not one area that is at risk for data breaches to occur. Each organization needs to spend time evaluating their organization and specifically the protected health information that they create, store, transmit or maintain to understand what risks that they have. Data breaches are being caused by a significant amount of reasons, and it is important to know that hacking/IT incidents is only one of those areas to focus on. Hacking/IT incidents definitely will impact a great amount of individuals as the hackers get access to a larger amount of data; however, a data breach caused by another issue such as an unauthorized disclosure causes just as much damage to an individual as someone hacking into a system and gaining information. Understanding the entire picture of what occurred in healthcare data breaches in 2015 will help organization prepare for proper protection of patient information.

Moral of the Story – don’t just focus on one item when it comes to the protecting and safeguarding of patient information. Focus on privacy and security of healthcare data as a whole, it is the best defense against the unwanted data breach. 

Cheers!
Danika

Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Data Breach: It WILL NEVER Happen to Our Organization

by Leave a Comment

You choose your path: Be Prepared OR Be Scared.

Privacy security or safeguard diagram or flowchart written on a dry erase board as tips, advice or information on making your personal, sensitive data safe and secure

How many times have you heard an organization say “A data breach will never happen here,” “We are too small for a data breach to happen,” “It only happens to hospitals and insurance companies.”  The thought that a data breach will never happen to your organization can be your biggest mistake in the preparation and defense in the event that a data breach does occur.  If you asked all the organizations who have experienced a HIPAA data breach in the past 12 months, many of them would agree that they never believed that something like that could happen.

Healthcare covered entities and business associates need to plan and be prepared in the event a potential data breach does occur.  Policies, procedures, and processes should be established that can be immediately activated in the event that a potential breach occurs and needs to be stopped, investigated, and mitigated. 

Looking over the past week, we see data breaches are occurring at all types of healthcare facilities and for a variety of reasons.

  • Buffalo Heart Group, 500 to 600 impacted – Third Party working under a physician access information outside of the scope of the work to solicit patients with the movement of a physician to a new practice
  • Unity Recovery Group, Inc., Fewer than 1,000 impacted – improper disclosures of patient information to unaffiliated recovery services
  • New Jersey Medical Center, 1,400 Impacted – An e-mail with an spreadsheet meant for internal use was sent to an incorrect recipient
  • Beacon Health, unknown impacted – Victim to a sophisticated phishing attached that caused unauthorized access to e-mails with PHI
  • University of Rochester Medical Group, 3,400 Impacted – Former Nurse Practitioner took patient’s personal information with her when she left for another organization
  • HHC Jacobi Medical Center, 90,000 impacted – Improper access and transmission of files containing PHI to personal email account
  • Associated Dentists– theft of a laptop – one was encrypted and the other was not encrypted

One piece of advice to all healthcare organizations and business associates: Be Prepared.  Don’t follow the path of so many and think that a data breach will never occur within your organization. 

If you are not confident about your breach notification response plan, review and update the plan so that it makes sense for your organization.  Go through practice drills to assure the process gets practiced and is realistic in the event of a potential data breach occurring. 

If additional help is needed, reaching out to experts in the industry is always a great idea.  Having third party assistance in the creation and establishment of a process for your organization can help elevate some of the fears and challenges that healthcare covered entities face.

Be prepared, plan accordingly, and assure your breach investigation process is ready.  You never know when your organization maybe the next data breach – a good response plan can save your organization from unwanted reproductions that data breaches bring to organizations. 

“If you are failing to plan, you are planning to fail.” – Tariq Siddique

Danika

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027