A Data Breach a Day – Part 1

A Data Breach a Day – Part 1

by Alex Hirsch (SU)

Last March, data breaches in the health care industry were reported at least once a day. This is an astounding statistic.

How does this keep happening? What can be done to prevent data breaches, and how does HIPAA compliance play a role?

In today’s article, we take a look at a few example cases of data breaches in health care, and we outline what needs to be done to protect the privacy of those who are entrusting you with their personal information.

The Navicent Health Data Breach

The largest data breach recorded in March was reported from Navicent Health. Investigators were able to determine that hackers had gained access to critical patient information – 278,016 patients’ accounts were potentially accessed and copied by the attackers, all thanks to a simple phishing attack. (Phishing is when attackers gain access to someone’s computer system or information fraudulently, usually via email.) 

Since then, Navicent Health has started educating its employees, reviewing its IT infrastructure, and evaluating its security controls over email systems, so that the entire framework remains isolated from cyber incidents. In addition, Navicent announced that patients will receive free credit monitoring for an entire year, along with identity theft protection which the medical center will pay on behalf of those impacted.

These are all good things, certainly. But like we’ve mentioned before about noncompliance, they’re reactionary. The damage has already been done, and hundreds of thousands of patients have already been affected. 

On a separate note, it’s worth mentioning that under HIPAA law, all breaches affecting 500 or more individuals must be reported within 60 days of first discovering the incident. Failure to do so will result in an investigation by the U.S. Department of Health & Human Services, Office for Civil Rights.

Following the HIPAA regulations could have avoided this incident in the first place.

The ZOLL Medical Data Breach

This was another large breach which affected just about as many people as the Navicent Health data breach did. 277,319 individuals were impacted by the ZOLL Medical data breach when its email archiving company accidentally removed protections in its network servers. To this day at the time of this writing, we still don’t know whether those records were accessed by unauthorized individuals during the time the information was accessible, and it will more than likely be much longer before we even discover if anyone was compromised as a result.

Events like this can take months or even years before security investigators can connect the dots between a stolen identity and a stolen database. We may never know.

The Burrell Behavioral Health Data Breach

In this data breach, 67,493 patients had their full ePHI exposed thanks to a single employee’s mistake. This was a perfect example of how all it takes is one person’s honest, easy-to-make error to affect thousands of people. (It’s also worth noting that this was actually the second time in two years that Burrell Behavioral Health reported a data breach.)

If anything, this should absolutely underscore the vital importance of strict adherence to HIPAA guidelines, and of making certain that all employees are fully trained to follow these standards.

Why Do Data Breaches Keep Happening?

In Part Two of our blog series, we will take a look at a few additional case studies, as well as examine where these data breaches keep coming from. We’ve talked about the primary culprit before, but a few of the others may really surprise you.

Knowing where your points of vulnerability are can help you protect your organization from liability – not to mention protect the trust of those who have placed their privacy in your hands. Do the right thing by staying vigilant. Contact us online or by phone at (800) 733-6379 if you’d like to talk about how your company can maintain full HIPAA compliance at all times.