2014 Was Landmark Year for Health Data Breaches

Register now

When it comes to health data breaches, 2014 was a milestone year. Healthcare organizations accounted for about 42 percent of all major data breaches reported this year, according to the Identity Theft Resource Center.

2014 began with the FBI’s Cyber Division warning industry that healthcare systems and medical devices were at risk for increased cyber intrusions “due to mandatory transition from paper to electronic health records, lax cybersecurity standards, and a higher financial payout for medical records in the black market.” However, the concerns of law enforcement that the healthcare industry was not as resilient to cyber intrusions compared to the financial and retail sectors apparently went unheeded.

In an August filing with the Securities and Exchange Commission, Franklin, Tenn.-based Community Health Systems—with 206 hospitals in 29 states—reported that it had been hacked with protected health information covering 4.5 million patients compromised. The hackers, believed to be operating out of China, copied and transferred non-medical patient identification data from physician practice operations that included names, addresses, birthdates, telephone numbers and Social Security numbers.

Similarly, Montana state officials this past summer notified 1.3 million individuals of a health data breach after a computer server in the Department of Public Health and Human Services was hacked. The number of current and former residents who received notifications exceeded the state’s estimated population in 2013 of 1.015 million.

Not surprisingly, the potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually, found an annual Ponemon Institute study from early 2014. At the same time, healthcare organizations are paying the price for their HIPAA violations that put health data at risk.

2014 was a big year for the levying of fines and scrutiny from federal regulators. New York-Presbyterian Hospital and Columbia University collectively paid $4.8 million to the Department of Health and Human Services Office for Civil Rights to settle charges of violating the HIPAA privacy and security rules. The hospital paid $3.3 million and the university paid $1.5 million—the combined total payment is a record.

Earlier this year, the HHS Office for Civil Rights levied fines against a provider organization and a health insurer for violations of the HIPAA privacy and security rules stemming from stolen unencrypted laptops. OCR fined provider Concentra Health Services $1,725,220, and Arkansas insurer QCA Health Plan $250,000, with both organizations signing resolution agreements to adopt a corrective action plan for HIPAA compliance.

In 2015, the HHS Office for Civil Rights expects to begin a random audit program to assess compliance with the HIPAA privacy, security and breach notification rules. So, the heat is about to be turned up on healthcare organizations that are being lax.

If the past is prologue and 2014 is any barometer, the healthcare industry will continue to be plagued by data breaches in 2015, given the growing number of access points to protected health information and other sensitive data through EHRs and increased usage of wearable technology. Regardless, healthcare organizations will need to step up their security posture and data breach preparedness in the New Year or face the wrath of regulators, concludes global information services company Experian.

Healthcare organizations have the herculean task of “securing a significant amount of sensitive information stored on their network, which combined with the value of a medical identity string makes them an attractive target for cybercriminals,” states the firm. “The problem is further exasperated by the fact that many doctors’ offices, clinics and hospitals may not have enough resources to safeguard their patients’ PHI.”

For reprint and licensing requests for this article, click here.