Photo by Sai Kiran Anagani via Unsplash
If it seems as if you’ve been reading more about data breaches of hospitals and health care organizations lately, you’re not imagining it.
Between 2009 and 2020, 3,705 health care data breaches involving 500 or more records have been reported to the Department of Health and Human Services’ Office for Civil Rights, according to an article in HIPAA Journal. Those breaches resulted in the loss, theft, exposure or impermissible disclosure of over 268 million health care records. The average number of breaches per day in 2020 was 1.76.
Data breaches can be defined as any impermissible use or disclosure that compromises the security or privacy of protected health information. HHS maintains an updated list of all breaches reported in the previous 24 months. It can be searched by covered entity, state, date, and number of people affected. Most of the 834 incidents listed as of July 20, 2021, appear to have resulted from hacking, although others have resulted from improper disposal of paper and films, loss or theft of records, and unauthorized access or disclosure.
Here are a few incidents from just the past few months:
- In April, San Antonio-based University Health began notifying 2,704 patients that its billing services vendor, Med-Data, had fallen victim to a data breach, according to a Becker’s Health IT report. Med-Data said a former employee saved protected health information files containing patient Social Security numbers, addresses and birthdates to personal folders that they then published on a public website. The files were removed in December 2020 after an independent journalist told the company that some of its data had been shared. Other companies affected by this breach included Memorial Hermann Health System in Houston and University of Chicago Medicine.
- Also in April, Montefiore Medical Center in New York announced it was notifying patients about a security breach involving information illegally accessed by a former employee. The employee, who viewed patient records between January 2020 and February 2021, was fired; the case was referred to law enforcement. The hospital discovered the improper access via monitoring software. Information accessed included patient names, addresses, emails, birth dates and the last four digits of Social Security numbers. Another employee was fired in January for similar actions.
- In May, University of Florida Health Shands announced it had notified 1,562 people affected by a privacy breach in which a former employee accessed medical records “outside the scope of their duties” between March 30, 2019, and April 6, 2021. The hospital learned of this April 7 and terminated the employee’s access to all medical records and other systems. The hospital had no reason to believe the information — including patient names, mailing addresses, phone numbers, birth dates and clinical information from emergency room visits — was further shared or disclosed.
- In July, Advocate Aurora Health in Wisconsin said it was among approximately 170 health care systems affected by two security incidents in April 2021 targeting Elekta, a third-party company used to coordinate delivery of radiation services and therapies to patients in seven Illinois sites. Elekta experienced a data security incident related to one of its information cloud storage systems that hosted and stored Advocate Aurora’s patient information. Elekta suspended access to the system and engaged a forensic investigator to study the incident. However, the intrusions resulted in potential access to and theft of patient information, such as patient’s names, addresses, birth dates, Social Security numbers, and medical treatment details.
Health care breaches don’t come cheap. The average cost of a health care data breach is $7.13 million, according to a recent IBM report.
Why is this happening?
Several factors are contributing to the rise in breaches, according to Dean Sittig, Ph.D., a professor of biomedical informatics at the School of Biomedical Informatics at UTHealth in Houston, and coauthor of a 2016 paper on ransomware attacks. For one, more devices such as infusion pumps and pacemakers are outfitted with network connections that allow them to communicate, often via the Internet, with hospital records. This is known as the Internet of Things (IoT). It’s great for generating data but does add more potential portals for hackers or leakage of information.
Another is the rise in employees having access to health care information, even from their homes or mobile devices. This increased dramatically during the COVID-19 pandemic.
Computers have thousands of ports, like doors, Sittig explained during a recent phone interview. Most are locked but some are open, allowing you to access the Internet, send email or get to an electronic health record. “If you don’t have those managed correctly, it’s easy for someone to run a program to get into those ports,” he said. “Just by making the information more accessible to authorized users, by definition we’ve made it more likely to get breached.”
Security of information and ease of access are at opposite ends of a seesaw, he said. As a result, organizations are always trying to balance keeping workers happy and productive while doing the best they can to secure information.
When employees are the source of a breach, it could be because the person is disgruntled or looking to make money by selling patient information. Or it could be innocuous, like someone concerned about a friend’s health who accesses their files and finds information they shouldn’t, or someone lured by a phishing scheme to provide their user name or password to an outsider.
What journalists can do
When reporting on data breaches, keep in mind that not all disclosures are the same, Sittig said.
“If the hospital loses a list of patients and phone numbers, that’s a breach,” he said. “But that’s not the same as losing my name and a list of all my medications, or any alcohol or drug abuse treatment history. You want to know, to the best of their ability, what information got out.” If the provider is unsure, he said, assume all information has been compromised.
Other questions to ask are about how secure or how recent the information was, Sittig said. Information that’s 10 years old may not be as damaging as current data. How many patients were affected, and what is the organization going to do to remedy the situation? Some hospitals have offered free credit monitoring services to those impacted by breaches. If you find yourself the recipient of a breach notification, consider monitoring your own credit as well.
Reporting on these cases helps educate the public as well as other health system employees, Sittig said. Chief information security officers (CISOs) and patient safety officers in hospitals are good people to contact for additional perspective.