The field of healthcare has always experienced waves of change at both the technological and infrastructure level. Many of these changes are arising from advancements in artificial intelligence, machine learning, bioengineering and new models of healthcare delivery. Yet, with these new medical and technological breakthroughs, there is an element of risk. This risk occurs with the constant threat of data security breaches. The staff for all healthcare agencies needs to monitor their patient data practices. Clinicians, front office and back office staff should all understand best practices for data security. The following data security breaches in the healthcare industry clearly illustrate this fact.
The Department of Health and Human Services enforces the federal health care privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act. HHS’ Office for Civil Rights, requires entities to report breaches of more than 500 individuals’ protected health information.
The HIPAA Security Rule: Focuses on securing the creation, use, receipt, and maintenance of electronic personal health information by HIPAA-covered organizations. The Security Rule sets guidelines and standards for the administrative, physical, and technical handling of personal health information.
The HIPAA Privacy Rule: Requires safeguards to protect the privacy of personal health information including medical records, insurance information, and other private details. The Privacy Rule limits what information may be used (and in what manner) and disclosed to third parties without prior patient authorization.
Recent Examples of Healthcare Data Breaches:
 Indianapolis-based insurer Anthem/BCBS, which covers more than 40 million people and sells insurance coverage in key markets like New York and California, suffered a massive data breach from 2014 to 2015. Hackers were able to use a common email technique/trick called spear-phishing. In this instance, company personnel were tricked by fabricated email request to reveal sensitive account usernames and passwords. Once the hackers had gained access to the credentials of Anthem system administrators, this allowed the attackers to probe deeper into the insurer’s computer systems and data storage.
Due to this data breach, the second-largest health insurer in the United States has agreed to pay the federal government a record $16 million to settle potential privacy violations in the biggest known healthcare hack in U.S. history. Hackers were able to gain access to the personal information of nearly 79 million people — including names, birthdates, Social Security numbers and medical IDs. The size and sophistication of the cyber-attack seem to indicate the potential involvement of a foreign government.
 The Minnesota Department of Human Services was the victim of an attack. Hackers were able to gain potential access to the personal information of 21,000 people. This cyber-attack was made possible after two Department of Human Services employees clicked on a link they received in a phishing email. There is no evidence that personal information was actually clicked, downloaded or misused. However, it is clear that there was a change that personal data was potentially compromised during the attack.
 These kind of phishing attacks are common in the healthcare sector. Healthcare companies like Onco360 and CareMed were also breached by hackers using the same kind of attack. These data breaches impacted the personal data of more than 50,000 patients. Both companies are subsidiaries of PharMerica, which reported a data breach. A company statement said that suspicious activity was noticed in November 2017, when an unauthorized user obtained access to three employee emails. Affected information could include patient and medical data as well as Social Security numbers, but the company does not believe any information has been misused.
In the state of Ohio, healthcare providers, agencies and even health systems are not immune to these attacks. Over the last few years, a number of data security breaches have occurred. Here are the more substantial healthcare-related data breaches:
Healthcare Data Breaches in Ohio:
 In February 2018, a cyber-attack targeted email accounts of Aultman Health Foundation based in Canton, OH. However, the phishing attack was not discovered until a month later. This email phishing attack potentially exposed the personal data of 42,600 patients of the foundation’s occupational medicine division, hospital and 25 physician practices for more than a month. In response to the cypher-attack Aultman reset account passwords and increased the password length and complexity. In addition, new email security features and improved its security monitoring procedures were instituted.
 Gahanna-based health-care provider Central Ohio Urology Group suffered a data breach in August 2016. In this case, roughly 300,000 individual’s personal information was exposed to unauthorized third parties. As of October 2018, this is the biggest data breach in Ohio history. The urology group’s data security breach is significate not just because of its size, but also the circumstances. A group aligned with far-right Ukrainian activists posted links to the hacked data and screenshots of a stolen database — complete with names, addresses, phone numbers and other private information — to a Twitter account.
 Community Mercy Health Partners located in Springfield, OH, suffered a serious data breach in December 2015. Though not as severe as the attack that Central Ohio Urology Group experienced, it is still substantial. This data breach was not due to outside hackers, but occurred due to employee negligence. Community Mercy Health Partners had improperly disposed of private medical records after thousands of old laboratory files were found at a Springfield recycling center. In this situation, the personal medical data and information for 113,528 were exposed.
Data Breach Methods and Insiders:
Whether from phishing attacks or staff negligence, it is clear that data security is a real concern for healthcare organizations, insurers and providers. In fact, feedback from healthcare administrators state that 69 percent of respondents report that negligent or careless employees are their greatest concern. As of May 2016, 89 percent of healthcare organizations had reported at least one data breach in the past two years. Shockingly, Forty-five percent of healthcare had experienced more than five breaches. It should be noted that roughly one-half of all data breaches have a criminal intent as the primary reason behind the attack. According to Forbes, 58 percent of healthcare systems data breach attempts involve inside actors, which makes this the leading industry for insider threats today. Another data breaching strategy is to steal laptops from medical professionals in order to obtain privileged access credentials. With this information, hackers can gain access and install malware on healthcare networks, exfiltrate valuable data or sabotage systems and applications.
The security breach at Community Mercy Health Partners displays the fact that data breaches do not have to be on purpose or even be highly-technical. For example, in the case of Edward Snowden, he gained access to a vast amount of highly classified government information by using an inexpensive and widely available software to “scrape” the National Security Agency’s (NSA) computer networks. Similar to the trickery involved in email phishing scams, he even kept at it even after he was briefly challenged by NSA officials.
On an even more sobering note, recent healthcare industry surveys have found that almost one in five health employees (18 percent) said they would be willing to sell confidential data to unauthorized parties. Survey respondents stated that they were willing to sell confidential data to unauthorized parties for $500 to $1,000. In addition, provider organizations were significantly more likely than those in payer organizations to say they would sell confidential data (21 percent vs. 12 percent). This includes selling login credentials, installing tracking software and downloading data to a portable drive, among other actions.
The survey also found that health employees’ willingness to sell confidential data is more than just hypothetical: roughly one-quarter (24 percent) of the respondents said they know of someone in their organization who has sold their credentials or access to an unauthorized outsider.
With all of these data breaches, Healthcare providers and agencies may be tempted to throw their hands up in despair. Yet, there is hope. Agencies, institutions and providers can enact specific measures that will protect their organization from data breaches. Naturally, there are no guarantees, but if specific produces and guidelines are followed, any hospital or clinic will be in a much safer position.
7 Ways To Protect Your Office From Data Breaches:
- Educate your office staff on current data security topics.
- Restrict access to certain data and applications.
- Implement data usage controls.
- Logging and monitoring all users.
- Encrypt all sensitive data.
- Limit the number of connected devices on your network.
- Utilize an off-site data backup system.
As a company that specializes in revenue cycle management for a variety of healthcare professionals, we follow the latest updates and trends in cyber and data security. For addition questions about this topic or general questions about healthcare revenue cycle management, please contact us. At ABCS RCM, we offer experienced medical billing solutions, credentialing services, web design/SEO/PPC and workforce management tools (SaaS) for healthcare agencies.
Follow us on Twitter @abcsohio
Data Security, Healthcare Breaches