How Did They Get My Protected Health Information?

Kimberly Ruppel
Dickinson Wright
Contact
LinkedIn
Facebook
X
Send
Embed

Dickinson Wright

It is no secret that protected health information (or “PHI”) is more and more at risk for cybersecurity attacks. In 2022 (the most recent year this statistic is available), the Department for Health and Human Services Office for Civil Rights (“OCR”) received over 30,000 new complaints alleging violations of HIPAA and, in addition to other efforts, completed over 800 compliance reviews, requiring entities to take corrective action or pay civil money penalties.

How do these breaches most commonly occur?

Hacking incidents were the largest category of breaches in 2022, comprising 77% of reported breaches. OCR further reports that over the past five years, there has been a 256% increase in reported significant hacking breaches (affecting over 134 million individuals in 2023 alone) and a 264% increase in reported breaches resulting from ransomware attacks. Ransomware is a type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware until a ransom is paid.

OCR recently reported settling an investigation of a ransomware attack affecting the PHI of over 14,000 individuals. In 2019, a Maryland-based behavioral health practice reported its network server had been infected with ransomware, resulting in the encryption of company files and the electronic health records of all patients. OCR’s investigation uncovered evidence that the practice did not comply with HIPAA’s privacy and security rules by failing to have a process in place to evaluate risks and vulnerabilities, failing to implement appropriate security measures, and failing to sufficiently monitor its systems’ activity to protect against a cyber-attack. Under the terms of the settlement, the practice was required to pay $40,000, and a three-year corrective action plan was imposed.

How can your covered entity avoid a breach of PHI through hacking or ransomware and a corresponding investigation and penalties?

The OCR has some suggestions:

  • Review vendor relationships to ensure appropriate business associate agreements are in place that address breach obligations;
  • Regularly conduct risk analysis and risk management efforts;
  • Implement audit controls to record and examine information system activity;
  • Mandate multi-factor authentication for access to PHI;
  • Encrypt PHI;
  • Incorporate lessons learned from prior security incidents; and
  • Provide and reinforce regular training

If you need assistance evaluating your security measures or protocols, be sure to reach out to your counsel.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson Wright | Attorney Advertising

Written by:

Dickinson Wright
Dickinson Wright
Contact
more
less

Dickinson Wright on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide