HIPAA breaches in 2019: A year in review

Per HITECH Act regulations, the US Department of Health & Human Services (HHS) publishes a rolling list of protected health information (PHI) breaches which affect more than 500 individuals on their Breach Portal, colloquially known as the “Wall of Shame.”

Amy Wood, Breach mitigation specialist and HIPAA educator of ACS Technologies LLC, says, “if you are not familiar with this site, you should be. It is extremely informative in understanding the trends in which OCR is focusing their attention.”

The maximum penalty for a single breach is $1.5 million per year. For one violation, fines can range from $100-$50,000 for each instance of wrongdoing. 

The Paubox team exported all reported incidents from HHS’s official Breach Portal from January 1, 2019 - December 31, 2019 and used the data to compile the following summary.

Trending: Rural America’s next provider generation

High Level Trends

There were 418 HIPAA breaches reported in 2019. In total, 34.9 million Americans had their PHI compromised last year.

This represents roughly 10 percent of the US population in a single year of breaches.

When it came to the sheer number of individuals affected in 2019, network server breaches led the pack with 30.6 million individual’s PHI breached.

However, although more people were affected by a network breach, there were more breaching incidents with email. Network servers were breached 84 times (20 percent of breaches), while email was breached 161 times (39 percent of breaches).

This is why it is supremely important to make sure as a healthcare provider, you only send HIPAA compliant email to your patients.

2019 Breach Highlights (or Lowlights?)

Twenty-Five Million People Affected by One Business Associate Breach

A total of eighteen different healthcare providers were affected by the breach of a shared business associate, American Medical Collection Agency (AMCA), after its network server was hacked in August 2018. 

There is often a delay from when a breach occurs to when it is discovered because oftentimes companies do not immediately realize that they have compromised their data. This means hackers can continue to access patient information for months or even years before they are stopped.

In the case of AMCA, the data breach went undetected for eight months, racking up HIPAA violations all the while.

In total 25 million people, 72 percent of the total number of individuals who had their information compromised last year, were affected by the AMCA breach.

Two healthcare providers accounted for the vast majority of the people affected by the AMCA incident, LabCorp and Quest Diagnostics. Together, 22 million of their patients had data compromised.

As a result of the loss of business and cost of the breach, AMCA’s parent company filed for Chapter 11 bankruptcy.

Business associates as well as healthcare providers can be held liable for HIPAA violations, per HHS regulations. However, it is the healthcare provider’s name which appears on the Wall of Shame.

Email Breaches

The dubious title of “Largest Email Breach of 2019” goes to UConn Health. Over 325,000 people’s healthcare data was exposed due to a successful phishing attack. Not only does UConn face HHS fines, they are also embroiled in a class-action lawsuit with the victims.

According to the 2019 HIMSS Cybersecurity Survey, falling for a phishing email scam is the most common cause of HIPAA breaches (59 percent), followed by human error (25 percent),

This is a great reminder that inbound email security is just as important as outbound HIPAA compliant email for a healthcare provider.

Read More: Should mid-levels be paid at a doctor’s rate?

Don’t Let This Happen to You

As of January 31, 2019, the Office of Civil Rights (OCR) has settled or imposed a civil monetary penalty resulting in a total dollar amount of over $116 million.

To avoid the fees and disgrace associated with a HIPAA breach, as a healthcare provider you must make provisions for protecting patient data, especially in its electronic form.

Be sure to encrypt all email, including email marketing, that you send to patients. Equally important is protecting your team against phishing attacks, which is a growing threat in the healthcare sector.

And be careful whom you do business with! You can be held accountable for your business associate’s mistakes. Make sure you only partner with companies that take security seriously.