In the past 12 months, there were 393 protected health information breach incidents reported to HHS.
The incidences included malicious email hacking, unauthorized access to EHRs and medical records as well as inadequate third-party business agreements. Here is a list of common reasons for HIPAA violations.
1. Employee email phishing attacks. There were 142 hacking incidences reported since last June related to email attacks. Cybercriminals are becoming more sophisticated with phishing emails, and efforts intensified during the pandemic. Despite hours of training and reminders, healthcare employees continue to fall victim to phishing emails, potentially exposing thousands of patient records.
Recent phishing attacks include:
• University of Utah Health reported an email hack that lasted for 45 days and affected 2,700 individuals.
• District Medical Group reported 10,190 patients’ information was breached as a result of an employee email phishing incident.
• Advocate Aurora Health reported an email phishing incident at Mariette, Wis.-based Aurora Medical Center-Bay Area that affected 27,137 individuals.
2. Malware and ransomware attacks on networks. Cybercriminals are speeding up their ransomware and malware attacks on hospital networks, according to a report in The Wall Street Journal. Previously, attackers would take more time to go through data before inflicting malware, but during the pandemic they have begun launching malware right away because hospitals need data back immediately.
Recent malware and ransomware attacks include:
• Magellan Health, a Phoenix-based managed care company, was hit by a ransomware attack in April.
• University of Utah Health reported a malware attack in January that exposed patients’ information.
• The Champaign-Urbana (Ill.) Public Health District’s website was shut down on March 17 due to a ransomware attack.
• Jordan Health in Rochester, N.Y., had its network shut down in February due to a ransomware attack.
3. Medical record snooping. Several hospital and health system employees have accessed medical records unnecessarily, which resulted in the employee being terminated or resigning. The temptation to gain information about individuals at hospitals is huge when hospitals treat high-profile individuals or cases.
Recent medical record snooping cases include:
• Kaiser Foundation Health Plan of the Mid-Atlantic reported an employee inappropriately accessed members’ radiology records from 2012 to 2020.
• Lurie Children’s Hospital of Chicago reported an employee inappropriately viewed more than 4,800 patient medical records and terminated the employee.
• Northwestern Memorial Hospital in Chicago fired 50 employees that inappropriately viewed medical records for Jussie Smollett, an actor who was treated at the hospital.
4. Improper disposal of medical records. There is a correct and incorrect way for healthcare organizations to dispose of medical records, and improper disposal is a HIPAA violation. Seven healthcare providers disclosed earlier this year that some patient and employee records were dumped in unsecure locations. The institutions involved in the incident included Saint Joseph Health System in Mishawaka, Ind., which entrusted records that had protected healthcare information to Central Files to destroy some records and securely transfer others to storage. However, the company dumped some of the records in an unsecure place
Saint Francis Healthcare in Charleston, S.C., also reported improper paper records disposal in January, which exposed 1,634 patients’ records.
5. Theft of medical records. There have been 39 incidents of medical record theft in 2020 so far, including electronic files, files stored on stolen laptops and paper files. The largest theft this year has been from Health Share of Oregon; the health plan reported a laptop containing information about 654,362 individuals was stolen. There are also high consequences for stealing PHI; in May, a former clinic administrator was sentenced to four years in federal prison for accessing patients’ medical records to steal their information and sell their identities.
6. Non-compliant third-party business agreements. Healthcare organizations must choose their partners wisely; a business associate that doesn’t comply with HIPAA, or that experiences a cybersecurity incident can expose patient information and violate the law. The business associate was present in 91 of the data breach incidents in the past year and 41 of the breaches occurred among healthcare providers’ business associates. Optum360 reported the largest business associate breach in the past year with a hacking incident that affected 11.5 million individuals. BST & Co. also reported a hacking incident in February that affected 170,000 individuals. Both incidents were network server breaches.
7. Downloading PHI on unauthorized devices. Healthcare personnel are busier now than ever, but they still must only access PHI on authorized devices. Clinicians and team members working virtually may access PHI only on authorized devices and must avoid downloading them to unsecure locations.
8. Medical records exposed during natural disasters. Even the best-laid plans can be foiled by Mother Nature and other unforeseen phenomenon. Earlier this year, Community Health Systems in Franklin, Tenn., reported that a tornado damaged the Stat Informatics Solutions building in Lebanon, Tenn., and exposed around 2,500 of the system’s medical records that were stored there. The facility also housed medical records from other organizations.
The global pandemic has also paved the way for unintentional HIPAA breaches. In the wake of the fast-spreading COVID-19 virus, many health systems updated processes and protocols for identifying employees who tested positive and deploy quick contact tracing to promote self-isolation among those at risk of further spreading the disease. On June 5, Yale New Haven Health reported that its occupational health staff accessed a small subset of data related to COVID-19 in medical records as part of its efforts to ensure symptomatic staff and employees were notified of their COVID-19 status. The health system apologized to the 506 individuals affected.
9. PHI accidentally posted online. There have been multiple incidences in the last year of hospitals and health systems, or business partners, inadvertently posting protected health information online. In May, Ashtabula (Ohio) County Medical Center accidentally posted an Excel spreadsheet on its website that included PHI; the spreadsheet was posted on Jan. 6 to comply with government requirements about medical cost disclosures. However, the hospital realized the spreadsheet also included PHI of around 3,683 patients.
Castro Valley Health in San Ramon, Calif., a home healthcare services provider, inadvertently sent patient information to a third-party website. The incident, reported on June 8, affected patients who received care at CVH from 2016-17. The information was “heavily coded” when published and has been removed from the website, called Docker Hub.
10. Loss of medical records. Eleven security incidences in the past year have included the loss of medical records. Notable instances occurred at Walmart, where 3,606 individuals were affected by a breach in February 2020, following a separate incidence in which Walmart reported 4,211 patients’ information on a portable device was lost in October 2019. Renown Health in Las Vegas also reported a loss incident affecting 27,004 individuals in August of 2019.