2016 a banner year for EHR security breaches

Security breaches of electronic protected health information (ePHI) continue to plague the healthcare industry—and the trend shows no signs of abating.

More than 25 million patient records were reportedly compromised as of October 2016. And then, in November, the cases spiked: There were 57 health data breaches—the most in any one month this year, according to the Protenus Breach Barometer. 

What’s even more concerning is that inside employees were responsible for more than half of November's breaches, a notable increase from past months. 

Many of the breaches are the garden-variety ones that the industry is familiar with, such as theft of a portable device. For example, multi health line company Centene reported in January that the records of 950,000 patients were compromised after the loss of six hard drives.

However, this year the industry is also seeing more breaches due to hacking and malware, which brings a more sinister criminal element to the breaches.  It's also seeing new, unanticipated ways that electronic records can be placed at risk in ways that may have more far-reaching implications.

A few of the more notable breaches reported in 2016 included:

  • Blue Shield of California reported a breach in January 2016 affecting 21,000 individuals. The breach stemmed from misuse of its customer service representatives’ log-in information to its EHR.
  • In March, Ft. Myers, Florida-based 21st Century Oncology reported that the records of 2.2 million patients were breached due to hacking. A number of class action lawsuits have since been filed against the practice.
  • Newkirk Products, which creates member identification cards on behalf of health plans, suffered a breach when a server was accessed without authorization, putting the ePHI of 3.3 million health insurance members at risk. The access appears to have occurred beginning May 21, but Newkirk discovered the breach July 6.
  • Athens Orthopedic Clinic in Georgia suffered a cyberattack compromising the records of 200,000 patients in June, when the log-in credentials of an outside vender was used to access its EHR. The clinic also had to inform its patients that it can’t afford to pay for extended credit monitoring.
  • One of the most disturbing breaches was Boston's Codman Square Health Center’s report that an employee of an outside vendor obtained unauthorized access to the regional health information exchange (HIE) that Codman participates in—New England Healthcare Exchange Network (NEHEN)—by using a Codman employee’s access credentials. The employee inappropriately accessed the records not only of Codman’s own patients but also the records of 4,000 other patients in the HIE.

    Yet Codman doesn’t have the patient contact information for the other patients—only its own—meaning that thousands of patients may never learn that their records were compromised.  

Prior breaches plague entities in 2016

Even breaches that occurred in prior years continued to haunt the entities affected in 2016. For example, health insurance giant Anthem, which suffered a huge cybersecurity breach affecting 80 million people in 2015, is still trying to assess the impact and is dealing with litigation alleging that its security was insufficient.

Moreover, many of the enforcement actions that were resolved in 2016 also involved electronic information. Here is a representative sample:

  • North Memorial Health Care of Minnesota agreed March 16 to pay $1,550,000 to settle charges it potentially violated HIPAA by failing to implement a business associate agreement with a major contractor and failing to conduct a risk analysis to address vulnerabilities of ePHI. An unencrypted laptop was stolen from a business associate’s employee’s locked vehicle in 2011, impacting the ePHI of 9,497 patients.
  • Catholic Health Care Services of the Archdiocese of Philadelphia agreed on June 30 to pay $650,000 to settle HIPAA violations stemming of a breach of HIPAA’s security rule when an unencrypted smartphone was stolen from an employee in 2014. It contained ePHI for 412 nursing home residents. This was the first OCR HIPAA settlement agreement (called “resolution agreements”) against a business associate of a HIPAA covered entity.
  • Oregon Health and Sciences University agreed to pay $2.7 million in settlement after suffering the loss of unencrypted laptops and an unencrypted thumb drive affecting thousands of patients. The ensuing OCR investigation also uncovered ePHI on a cloud based server that was not protected by a business associate agreement between the parties.
  • The University of Mississippi Medical Center agreed to pay $2.75 million to settle alleged violations of HIPAA stemming from the theft of a laptop from its Medical Intensive Care Unit in 2013. While the laptop was password protected, the ePHI of 10,000 patients stored on a network drive could be accessed after entering a generic username and password.
  • Advocate Health Care settled potential HIPAA penalties August 4 for $5.55 million stemming from three breach reports it filed in 2013 involving its subsidiary, Advocate Medical Group, affecting the ePHI of about 4 million patients.
  • Care New England Health System (CNE) agreed Sept. 23 to pay $400,000 to settle HIPAA violations stemming from the loss in 2012 of unencrypted backup tapes containing the ultrasound studies of about 14,000 patients of Woman & Infants Hospital of Rhode Island, a covered entity member of CNE.   
  • St. Joseph Health, which treats patients throughout California and in parts of Texas and New Mexico, agreed to settle potential violations of HIPAA for $2.14 million following a report that files containing ePHI were publicly accessible through internet search engines from 2011 to 2012.  The server it purchased to store the files included a file sharing application that had default settings allowing anyone with an internet connection to access them, but St. Joseph didn’t examine or modify it, potentially disclosing the ePHI of 31,800 patients.  

Many of these breaches are due to lax compliance with some of the most basic requirements of HIPAA, despite the fact that the law has been on the books for 20 years