We all go to the doctor or hospital at some point in time for health care services. Our healthcare providers collect our personal information, which is used to diagnose, treat, and bill for services rendered. Personal information is considered protected health information (PHI) and is protected under the Health Insurance Portability and Accountability Act (HIPAA). So, what happens when your PHI is released without your consent? We call that a HIPAA breach.
HIPAA Breaches
HIPAA breaches that affect 500 or more individuals are required to be reported to the Secretary of the Department of Health and Human Services (DHHS) within 60 days of the end of the calendar year (Office for Civil Rights, 2023). The DHHS – Office for Civil Rights (OCR) categorizes breaches into the following categories:
- Hacking/IT Incident
- Improper Disposal
- Loss
- Theft
- Unauthorized Access/Disclosure
- Unknown
- Other
Between 2014 and 2022, the percentage of breach notifications due to Hacking/IT Incidents increased by 558%, as shown in Figure 1 below.
Figure 1: HIPAA Data Breaches of 500+ Individuals 2014-2022
Source: Office for Civil Rights, 2023a
When considering the top 10 reported HIPAA breaches of 500 individuals or more in 2022, nine (9) of them were due to Hacking/IT Incidents and affected more than 13 million individuals, as shown in table 1 below.
Table 1: Top 10 HIPAA Breaches in 2022 by Number of Individuals Affected
| Organization Name | Covered Entity Type | Individuals Affected | Type of Breach | Location of Breached Information |
| OneTouchPoint, Inc. | Business Associate | 4,112,892 | Hacking/IT Incident | Network Server |
| Advocate Aurora Health | Healthcare Provider | 3,000,000 | Unauthorized Access/Disclosure | Electronic Medical Record |
| Connexin Software, Inc. | Business Associate | 2,216,365 | Hacking/IT Incident | Network Server |
| Shields Health Care Group, Inc. | Business Associate | 2,000,000 | Hacking/IT Incident | Network Server |
| Professional Finance Company, Inc. | Business Associate | 1,918,941 | Hacking/IT Incident | Network Server |
| Baptist Medical Center | Healthcare Provider | 1,608,549 | Hacking/IT Incident | Network Server |
| ARcare | Healthcare Provider | 345,353 | Hacking/IT Incident | Network Server |
| Aetna ACE | Health Plan | 325,278 | Hacking/IT Incident | Network Server |
| Empress Ambulance Service LLC | Healthcare Provider | 305,056 | Hacking/IT Incident | Network Server |
| Stokes Regional Eye Centers | Healthcare Provider | 266,170 | Hacking/IT Incident | Network Server |
Source: Office for Civil Rights, 2023a
How do Hackers Gain Access to a Covered Entities Data?
One of the most common methods hackers use to access PHI is phishing emails. When the user clicks a link in a malicious email, it downloads malware that infects the system.
Malware is any program or file designed to intentionally harm a computer or network server (Lutkevich, 2022). Malware includes viruses, worms, spyware, and ransomware (Lutkevich, 2022).
However, in healthcare, ransomware is the most common form of malware. Ransomware is typically downloaded to a computer system through a phishing email, and it encrypts the user’s files. The computer system is unusable until a ransom is paid for the hacker to decrypt the files.
Why Do Hackers Target Healthcare?
With all the identifying information found within a healthcare record, it is easy to see why hackers can sell patients’ records on the dark web for around $1,000 per record (Jercich, 2021). However, hackers can also extort money from healthcare facilities to unencrypt the files encrypted during the cyber attack. Needless to say, hacking can be a lucrative business.
How do Healthcare Facilities Protect Patients’ Data?
The HIPAA Security rule requires that healthcare organizations and other covered entities perform a thorough risk assessment to identify vulnerabilities in their organizations. Then covered entities would implement appropriate administrative, physical, and safeguards to prevent future breaches.
HIPAA Breaches and Health Services Administration
As health care managers we take protecting patients information very seriously. We are constantly identifying ways to help protect our patients and their information from breaches.
EKU’s health services administration (HSA) program offers a concentration focused on health data management. The health informatics and information management (HIIM) concentration provides graduate the skills and knowledge needed to protect the security of patients health information.
Interested in a health services administration career?
Earn your online bachelor’s degree from a regionally accredited university that has been an online education leader for more than 15 years. Our flexible, online format provides students the ability to complete coursework and assignments according to their schedule.
Complete the form to learn more about how EKU Online’s health services administration program can help advance your career.
About the Author
Heather Tudor is an associate professor in EKU’s College of Health Sciences and the HSA program director. In addition to undergraduate and graduate degrees from EKU, Heather holds a Doctor of Public Health from the University of Kentucky. She is a registered health information administrator and certified clinical research professional. Tudor holds Six Sigma Lean certification and her research interests include quality and performance improvement.
References
Jercich, K. (2021, February 08). Tens of thousands of patient records posted to dark web. Healthcare IT News. https://www.healthcareitnews.com/news/tens-thousands-patient-records-posted-dark-web
Lutkevich, B. (2022, June). Malware. TechTarget. https://www.techtarget.com/searchsecurity/definition/malware
Office for Civil Rights. (2023). Submitting notice of a breach to the Secretary. https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html Office for Civil Rights. (2023a). Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. Retrieved on February 27, 2023 from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf