Introduction

The healthcare industry continues to be one of the most vulnerable to cyber-attacks. 2022 saw 707 reported breaches in the healthcare industry, according to the Health and Human Services (HHS) Office of Civil Rights (OCR), the entity responsible for handling HIPAA-related data breaches.  This number is roughly on par with 2021 and 2020, which had 714 and 663 breaches, respectively.

In total, over 52 million individuals were affected by data breaches in 2022.

This report will outline the most common reasons for data breaches in 2022, detail how many individuals were affected, and other metrics-of-note.  Then, we’ll discuss some of the largest breaches reported in 2022 along with some advice on how to ensure your organization doesn’t fall victim to the same woes.

All metrics in this report were taken from the US Department of Health and Human Services Office of Civil Rights.  To view the original data, you can visit this link.

Reasons for Data Breaches

OCR defines the following categories for the type of breach:

• Hacking/IT Incident
• Improper Disposal
• Loss
• Theft
• Unauthorized Access

Hacking/IT Incident

Hacking/IT incidents were, by far, the largest category noted by OCR as the reason for a data breach.  Of the 707 reported breaches, 561 (or nearly 80%) were the result of hacking or some other IT-related incident.  This highlights the need for covered entities and business associates to ensure that their IT environments are highly secured, constantly monitored, and continually adapting to the ever-changing IT landscape.

371 of these breaches noted “Network Server” as the location where the breach occurred.  Servers are a prime target for hackers, as they are generally an information-rich source.  Ensuring proper access control, implementing firewalls and other unified threat management devices, and regularly applying critical security updates are all crucial to properly securing your network assets.

146 of the hacking/IT incident breaches involved the use of email.  When used without any ancillary security features, email is a highly insecure mode of communication.  Services such as Microsoft’s M365 suite offer email encryption functionality, which greatly enhances the protection of ePHI.

Improper Disposal

In contrast to hacking incidents, improper disposal of PHI accounted for the fewest number of breaches, at only four.  Despite the fact that most businesses operate almost exclusively electronically, paper charts, forms, and other physical mediums are still prevalent in many medical practices.  It is important to ensure that these physical assets are properly disposed of in a secure recycling receptacle and/or shredded when no longer needed.

In one example, Mountain Area Health Education Center (MAHEC), reported that an employee placed documents containing the protected health information (PHI) of 1,115 individuals in an unsecured recycling bin. The PHI involved included names, addresses, dates of birth, Social Security numbers, and health insurance information.

Loss

Coming in at 12 incidents, loss of ePHI was another comparatively low category, but no less important.  In a few of these incidents, unencrypted USB drives were misplaced, leading to thousands of individuals’ medical data being exposed.  In another incident, a FedEx box containing the PHI of nearly 800 individuals was lost.

Transporting PHI & ePHI must be done with the highest degree of care possible.  This is especially important when using a courier or shipping service, since packages are handled by numerous individuals external to the covered entity.  When transporting ePHI via a USB drive, always use encryption such as BitLocker to further secure the data.  The encryption password can then be shared with the recipient verbally or through an encrypted email message.

Theft

Criminals steal.  That is kind of their thing.  And healthcare establishments are not immune to such activity.  Over 350,000 individuals’ PHI was compromised through the 23 reported cases of theft.  The cases ranged from a laptop stolen out of a provider’s vehicle, to a break-in at a medical office. 

While the lion’s share of incidents involving theft of patient data involve some form of cyber-attack, it’s just as important to ensure that your physical assets are properly secured as well.

Unauthorized Access

A breach doesn’t always occur due to a malicious external actor; sometimes, it’s just carelessness or negligence that cause the data to be breached.  Other times, it is misconduct by an internal employee.  These categories all fall under the heading of “Unauthorized Access” in HIPAA breach reports.  In total, there were 114 incidents reported in 2022 that involved Unauthorized Access.

Impermissibly accessing PHI is considered a breach under HIPAA regulations and can result in significant consequences for both the covered entity and the individual who impermissibly accessed the information.  This includes civil and criminal penalties, reputational harm, and a loss of trust from patients.  

In order to avoid breaches and maintain compliance with HIPAA regulations, it is crucial for covered entities to train their employees on the importance of protecting PHI and to enforce strict policies and procedures for accessing and using this information.

Breaches of Note

With over 700 breaches affecting more than 50 million individuals, it’s hard to know which breaches to pay attention to.  While arguably every breach is important, and every breach has a lesson to be learned from it, covering all of them would obviously be pretty intense.  Let’s discuss the breach with the most affected individuals first.  Then, we’ll go through a selection of breaches we at Axeleos feel are important to discuss.

OneTouchPoint, Inc. – 4,112,892 Affected Individuals – Hacking Incident

It might surprise you that the biggest breach of the year wasn’t a Covered Entity at all, but by a Business Associate.  OneTouchPoint (OTP) provides marketing execution services, including print production, mailing and fulfillment, marketing automation, supply chain, direct marketing, and other marketing services.  In April 2022, OTP discovered a malware/ransomware incident that affected millions of individuals.

The breach involved employee information such as names, healthcare member IDs, and information provided during health assessments. Customers have reported the breach as involving names, subscriber ID numbers, diagnoses, medications, addresses, dates of birth, sexes, physician demographics information, family histories, social histories, allergies, vitals, immunizations, and other information.  Among the affected Covered Entities were Anthem ACE, Kaiser Permanente, Geisinger, Humana, and several affiliates of Blue Cross Blue Shield.  At least two class action lawsuits have been filed against OTP as a result of the breach.

Advocate Aurora Health – 3,000,000 Affected Individuals – Unauthorized Access/Disclosure

The breach at Advocate Aurora Health, which was reported in October, is the #2 incident for 2022 by number of affected individuals.  This breach involved the use of pixels, a form of tracking that is available from Google, Meta (Facebook’s parent company), and LinkedIn.  The company issued the following statement:

“These pixels or similar technologies were designed to gather information that we review in aggregate so that we can better understand patient needs and preferences to provide needed care to our patient population,” the health system said in the online statement.  “We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology.”

Although an investigation is ongoing, the Covered Entity believes that, in addition to PHI, information such as IP addresses and physical location may have been involved.

This breach shows the need for organizations to carefully review and assess the privacy and security implications of using technologies such as pixel tracking before implementing them.  Additionally, organizations must continuously monitor and evaluate the use of these technologies to ensure that sensitive information is not being disclosed.

Wright & Fillippis, LLC – 877,584 Affected Individuals – Hacking/IT Incident

Wright & Filippis, a medical solutions provider based in Rochester Hills, MI, suffered a ransomware attack in January 2022, which encrypted certain files on its network.  The attack was detected soon after it occurred, but the files that were encrypted could not be recovered.  A third-party investigation confirmed that the attack had potentially exposed the protected health information of 877,584 current and former patients, employees, and job applicants.

The data included names, birth dates, Social Security numbers, financial account numbers, and health insurance information.  No evidence of actual or attempted misuse was found, but affected individuals were offered identity monitoring services as a precaution.  The notification to affected individuals was delayed due to the time-intensive investigation process.

A Note About Ransomware Attacks

Ransomware attacks have been on the rise in recent years, and medical providers have become a prime target for cyber criminals.  This is due to the sensitive nature of the information that these organizations handle, such as patient health records and financial information, making it a valuable target for hackers.

Medical providers are particularly vulnerable to ransomware attacks because they often have outdated or unpatched systems, as well as a lack of robust cybersecurity measures in place.  In many cases, medical providers also have limited resources to devote to cybersecurity, making them an attractive target for attackers who believe they can easily extort large sums of money from these organizations.

The increasing frequency of ransomware attacks against medical providers highlights the need for advanced threat monitoring and response capabilities.  This includes implementing a multi-layered security approach that includes firewalls, anti-virus software, and intrusion detection systems.  It is also crucial for medical providers to regularly update their systems and software, and to conduct regular security audits and penetration testing.

In addition, medical providers should also be proactive in their approach to cybersecurity by investing in employee training and awareness programs, as well as having a comprehensive incident response plan in place.  This can help to prevent successful attacks and minimize the impact of any attacks that do occur.

Ultimately, the rise in ransomware attacks against medical providers highlights the need for robust cybersecurity measures, which should be a top priority for all organizations handling sensitive information.

Conclusion

As the data from HHS OCR show, hacking and other IT-related incidents are by far the biggest threat facing Covered Entities and Business Associates, underscoring the need for robust administrative and technical safeguards as outlined by HIPAA.  To protect sensitive information, healthcare organizations must implement measures such as multi-layered security, regular system updates, employee training, and a comprehensive incident response plan.  

These measures serve as crucial administrative and technical safeguards, ensuring the protection of patient information in line with HIPAA regulations.  It is essential for healthcare organizations to prioritize cybersecurity and take proactive measures to prevent successful attacks.

Axeleos MediGuard Can Help!

Axeleos offers a multitude of services tailored to the healthcare industry and HIPAA-covered organizations with Axeleos MediGuard.  Don’t let your medical practice or healthcare-adjacent business become the next victim of a HIPAA data breach.  Contact us today and let us help you secure your systems and patient data.