Lessons learned from the biggest HIPAA blunders of 2018

Lessons learned from the biggest HIPAA blunders of 2018

Cybercriminals target the healthcare industry because of the many ways they can make money from stolen electronic patient health information (ePHI). They can sell the data on the dark web, hack patients’ credit cards, or demand a ransom so that they won’t release sensitive health information to the public.

As the number of HIPAA violations skyrocketed in 2018, it’s safe to say that PHI security will be a major concern this new year. Let’s see what we can learn from last year’s major HIPAA blunders.

MD Anderson Cancer Center’s $4.3 million HIPAA penalty

Breach summary

The Center’s multimillion-dollar fine was the fourth largest settlement amount for HIPAA violations. The US Department of Health and Human Services Office for Civil Rights (HHS OCR) investigated MD Anderson after three data breaches in 2012 and 2013. These breaches involved the theft of an unencrypted laptop and the loss of unencrypted US thumb drives with the ePHI of more than 33,500 people.

According to the report by the OCR, MD Anderson didn’t encrypt their devices from March 24, 2011 to January 25, 2013, resulting in security breaches. Despite these findings, the health institution maintains that in all three cases, no patient information was viewed and no patient was harmed. As of this writing, MD Anderson still plans to appeal the ruling.

Lesson learned

PHI records contain crucial information such as contact details, financial account information, and social security numbers. These kinds of information are difficult to change, making them more valuable on the dark web.

Healthcare industries must treat ePHI as their most valuable asset. They must always be encrypted and access to these must be secured with multifactor authentication. In case a breach threatens the security and privacy of individuals, notify regulators, cooperate with their investigation, and respond to any of their queries in a timely and complete manner.

California Department of Developmental Services

Breach summary

The infiltration of the Department of Developmental Services (DDS) on February 11, 2018 was the largest incident to be reported to the OCR in 2018. Thieves broke into the DDS offices, vandalized the property, and started a fire that triggered sprinkler systems. Because of the fire, it was impossible to determine if any PHI was compromised, but the criminals potentially had access to the sensitive information of 15,000 individuals and the PHI of more than half a million patients.

Lesson learned

Protecting your data from virtual predators isn’t good enough. You must also improve your business’s physical security and implement a business continuity and disaster recovery (BCDR) plan. With such a scheme in place, rebuilding your office won’t cause as long a downtime as it would without one, and you’ll have backups of critical health information.

LifeBridge Health, Inc.

Breach summary

On March 18, 2018, LifeBridge Health of Baltimore detected malware on its patient registration, billing systems, and a server of one of its physician practices. After a forensic investigation, they discovered that an unauthorized person has been accessing their server since September 27, 2016 and potentially infiltrating their ePHI.

Lesson learned

Your organization needs to be more vigilant in preventing cyberattacks. Assess and scan your hardware and software regularly to detect unauthorized access and possible attacks to your systems and data.

Don’t let a blunder like LifeBridge’s go unnoticed for years. More importantly, hire a managed services provider (MSP) keep vigil for you. MSPs can safeguard your infrastructure 24/7.

Center of Orthopaedic Specialists - Providence Medical Institute

Breach summary

One of the IT vendors of the Institute notified the latter of the unauthorized network access by an individual in February 2018. The hacker installed ransomware on their network and encrypted files containing PHI. More than 85,000 patients were affected by this attack.

Lesson learned

Healthcare organizations must be vigilant against ransomware. Applications and systems need to be updated regularly, and software or hardware that is no longer supported by its original manufacturer has to be replaced.

If your firm is having difficulty implementing cybersecurity measures and complying with HIPAA regulations, partner up with a reliable MSP such as Netcom Solutions.

Tufts Associated Health Maintenance Organization, Inc.

Breach summary

In January 2018, Tufts Health Plan discovered that one of its mailing vendors had been sending out member identification (ID) cards to members in envelopes that clearly displayed PHI through clear windows. Instead of displaying members names and addresses only, the envelopes also showed the Tufts Health Plan member ID number.

Lesson learned

Aside from your employees, third-party vendors must also be trained in HIPAA compliance as they may become the source of data breaches. These vendors must sign Business Associate Agreements (BAAs) so that they can be held culpable for such unauthorized disclosures of sensitive information.

Additionally, without proper training, staff and third-party vendors won’t understand how cyberthreats operate and how to prevent them. Most hackers take advantage of such ignorance to get ahold of your data and use it for criminal activities. People in the health industry need to know how to recognize phishing scams and know preventative measures against cybercrimes to keep ePHI safe.

Want to learn more about ways to secure sensitive ePHI? Call us today — you can rely on Netcom Solutions for effective HIPAA compliance services and other IT solutions made especially for the healthcare industry.