The Importance of Protecting Patient Records

EKU Online > The Importance of Protecting Patient Records

We all go to the doctor or hospital at some point in time for health care services. Our healthcare providers collect our personal information, which is used to diagnose, treat, and bill for services rendered. Personal information is considered protected health information (PHI) and is protected under the Health Insurance Portability and Accountability Act (HIPAA). So, what happens when your PHI is released without your consent? We call that a HIPAA breach.

HIPAA Breaches

HIPAA breaches that affect 500 or more individuals are required to be reported to the Secretary of the Department of Health and Human Services (DHHS) within 60 days of the end of the calendar year (Office for Civil Rights, 2023). The DHHS – Office for Civil Rights (OCR) categorizes breaches into the following categories:

  • Hacking/IT Incident
  • Improper Disposal
  • Loss
  • Theft
  • Unauthorized Access/Disclosure
  • Unknown
  • Other

Between 2014 and 2022, the percentage of breach notifications due to Hacking/IT Incidents increased by 558%, as shown in Figure 1 below.

Figure 1: HIPAA Data Breaches of 500+ Individuals 2014-2022

      Source: Office for Civil Rights, 2023a

When considering the top 10 reported HIPAA breaches of 500 individuals or more in 2022, nine (9) of them were due to Hacking/IT Incidents and affected more than 13 million individuals, as shown in table 1 below.

Table 1: Top 10 HIPAA Breaches in 2022 by Number of Individuals Affected

Organization NameCovered Entity TypeIndividuals AffectedType of BreachLocation of Breached Information
OneTouchPoint, Inc.Business Associate4,112,892Hacking/IT IncidentNetwork Server
Advocate Aurora HealthHealthcare Provider3,000,000Unauthorized Access/DisclosureElectronic Medical Record
Connexin Software, Inc.Business Associate2,216,365Hacking/IT IncidentNetwork Server
Shields Health Care Group, Inc.Business Associate2,000,000Hacking/IT IncidentNetwork Server
Professional Finance Company, Inc.Business Associate1,918,941Hacking/IT IncidentNetwork Server
Baptist Medical CenterHealthcare Provider1,608,549Hacking/IT IncidentNetwork Server
ARcareHealthcare Provider345,353Hacking/IT IncidentNetwork Server
Aetna ACEHealth Plan325,278Hacking/IT IncidentNetwork Server
Empress Ambulance Service LLCHealthcare Provider305,056Hacking/IT IncidentNetwork Server
Stokes Regional Eye CentersHealthcare Provider266,170Hacking/IT IncidentNetwork Server

Source: Office for Civil Rights, 2023a

How do Hackers Gain Access to a Covered Entities Data?

One of the most common methods hackers use to access PHI is phishing emails. When the user clicks a link in a malicious email, it downloads malware that infects the system. 

Malware is any program or file designed to intentionally harm a computer or network server (Lutkevich, 2022). Malware includes viruses, worms, spyware, and ransomware (Lutkevich, 2022).

However, in healthcare, ransomware is the most common form of malware. Ransomware is typically downloaded to a computer system through a phishing email, and it encrypts the user’s files. The computer system is unusable until a ransom is paid for the hacker to decrypt the files.

Why Do Hackers Target Healthcare?

With all the identifying information found within a healthcare record, it is easy to see why hackers can sell patients’ records on the dark web for around $1,000 per record (Jercich, 2021). However, hackers can also extort money from healthcare facilities to unencrypt the files encrypted during the cyber attack. Needless to say, hacking can be a lucrative business.

How do Healthcare Facilities Protect Patients’ Data?

The HIPAA Security rule requires that healthcare organizations and other covered entities perform a thorough risk assessment to identify vulnerabilities in their organizations. Then covered entities would implement appropriate administrative, physical, and safeguards to prevent future breaches.

HIPAA Breaches and Health Services Administration

As health care managers we take protecting patients information very seriously.  We are constantly identifying ways to help protect our patients and their information from breaches. 

EKU’s health services administration (HSA) program offers a concentration focused on health data management. The health informatics and information management (HIIM) concentration provides graduate the skills and knowledge needed to protect the security of patients health information.

Interested in a health services administration career?

Earn your online bachelor’s degree from a regionally accredited university that has been an online education leader for more than 15 years. Our flexible, online format provides students the ability to complete coursework and assignments according to their schedule.

Complete the form to learn more about how EKU Online’s health services administration program can help advance your career.

About the Author

Heather Tudor is an associate professor in EKU’s College of Health Sciences and the HSA program director. In addition to undergraduate and graduate degrees from EKU, Heather holds a Doctor of Public Health from the University of Kentucky. She is a registered health information administrator and certified clinical research professional. Tudor holds Six Sigma Lean certification and her research interests include quality and performance improvement.


Jercich, K. (2021, February 08). Tens of thousands of patient records posted to dark web. Healthcare IT News.

Lutkevich, B. (2022, June). Malware. TechTarget.

Office for Civil Rights. (2023). Submitting notice of a breach to the Secretary. Office for Civil Rights. (2023a). Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. Retrieved on February 27, 2023 from

Learn More