U.S. Healthcare Breaches: Bigger Than Email

December 06, 2019
Gretel Egan

Between January 1 and November 19, 2019, U.S. healthcare organizations publicly disclosed 387 breaches, which affected nearly 40 million people. This is according to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which lists breaches of unsecured protected health information (PHI) that affect 500 or more individuals.

Email was the most common source of breached information among these incidents, but issues extend beyond the inbox. Analysis of data from the OCR breach portal reveals the complexities associated with protecting PHI. It also underscores the need for vigilance on the part of healthcare organizations, their business associates and the workers who handle confidential data.

Hacking/IT Incidents Rule … But Other Actions Have Big Impacts

Hacking and IT incidents dominated the 387 breaches cataloged during the first 10+ months of 2019. Email was the sole breach source in most of those incidents (128), affecting nearly 2.4 million individuals. But that number pales in comparison to the impacts felt from breached network servers. Though servers factored into fewer incidents (79), those breaches affected more than 31 million people.

It's not a surprise that hacking/IT incidents account for the lion’s share of the reported breaches. But other actions—including careless behaviors—regularly compromise the security of PHI:

  • Improper disposal – Four breaches affected nearly 22,000 people
  • Loss of devices and paper/film records – 12 breaches affected more than 71,000 people
  • Theft of devices and paper/film records – 28 breaches affected more than 210,000 people
  • Unauthorized access/disclosure – 108 breaches affected more than 450,000 people

Email Hygiene Is Critical … But So Are Physical Security Measures

In addition to tracking breach types, the OCR tracks the location(s) of breached information. As noted above, email was the most common source of breached data among hacking/IT incidents. But it also factored into 24 breaches related to unauthorized access/disclosure. In total, email was the sole source of compromise in 152 breaches, affecting more than 2.5 million people.

It’s clear that healthcare workers need to be vigilant with their email—both incoming and outgoing. But to fully protect patient data, security awareness measures must extend beyond the inbox:

  • Loss and theft of laptops and other portable electronic devices resulted in 16 breaches, affecting more than 160,000 people.
  • Paper and films were the sole source of breached information in 37 incidents, affecting more than 106,000 individuals. These breaches happened due to loss, theft and improper disposal, as well as unauthorized access/disclosure.

You Can’t Outsource Risk

Any organization that places its data (or its customers’ data) in the hands of a third party must recognize that trust and risk go hand in hand. The ramifications of a third-party breach flow upstream as well as downstream—as many healthcare organizations know all too well.

According to OCR reporting, business associate breaches accounted for 37 of the 387 incidents we analyzed, and business associates were “present” in an additional 47 breaches. Together, these 84 breaches (about 20% of those reported) impacted more than 24 million people (about 60% of all individuals affected).

Take a People-Centric Approach to Cybersecurity

Human error will always be a factor in organizational security—but not all errors are rooted in carelessness. Many are due to a lack of awareness and guidance. Employees who know how to secure data and devices make fewer cybersecurity-related mistakes.

Given the value of healthcare data and the high cost of breaches, healthcare organizations need to be proactive about their own security awareness training initiatives—and those of their business associates. But training can’t simply focus on telling workers that securing data is important.

Employees must be taught to recognize the varying behaviors that can lead to PHI compromise—within email and beyond the inbox—and be empowered to make better decisions. Regular training and ongoing reinforcement are critical to building a culture that emphasizes each person’s role in data and device security.