Smaller Healthcare Practices Become New Hacking Targets

By Tony Edwards

Healthcare data breaches often bring to mind large institutions — hospitals, insurers, HMOs — but small practices are becoming a growing target for hackers.

Hacking/IT incidents topped the 2018 list of causes of healthcare facility breaches in 2018, according to HIPPA Journal, with email being the method of choice for accessing information.

Nearly 600 breaches from the last two years affecting 500 or more individuals are under investigation by the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services.

Federal HIPAA regulations require practices to report breaches to the OCR, though many such fail to do so, experts tell Digital Privacy News.

“For incidents involving between 1 and 499 patients, the facility-practice is required to ‘log’ the breach and submit the logs within the first 60 days of the new year,” said Debi Carr of DK Carr & Associates, a Florida consultancy.

“For incidents involving 500 or more, it becomes immediately reportable unless [the practice] can prove that patient information was not viewed, acquired, or misused.”

This month, a gastroenterological practice in Ogden, Utah, agreed to pay a $100,000 fine to settle a potential violation of the HIPAA security rule.

The OCR’s subsequent investigation found that Dr. Steven A. Porter’s practice did not conduct a risk analysis when the breach occurred and failed to do so afterward.

Porter also failed to implement sufficient security measures in light of the hack, the agency found.

Overall, healthcare practices shelled out more than $28 million in fines and settlements to the agency in 2018 for running afoul of HIPAA reporting violations.

Notifying Patients

Under federal law, a practice must send notices to patients within 60 days after learning that its data has been breached. If 10 or more patient addresses are outdated, the practice must post a statement on its website for at least 90 days and give notice in the media.

“It is a thin line,” Carr told Digital Privacy News. “By law, all breaches are reportable, unless you can prove otherwise.”

But federal and state laws differ.

“While HIPAA gives practices 60 days to notify, some states require less time — so it is important to know your state’s laws,” Carr said.

Because requirements can vary, “business leaders must ensure that their teams are properly trained and reminded of the cybersecurity threats that put patient and practice data at risk,” said Christine Alfano, a senior marketing director of Vyne.

The technology company, based in Dunwoody, GA, focuses on data, communication and security for U.S. healthcare practices. 

Unreported Breaches

Many breaches, however, go unreported.

According to Carr, IT companies sometimes destroy evidence without informing a practice that a forensic investigation is required after a breach.

“In most cases, the doctors don’t know what they are required to do — and either the IT companies don’t tell them (because the company knows it would be blamed) or the IT company doesn’t know,” Carr said.

“We will see more doctors being attacked,” she added, “and having to report a breach.”

Tony Edwards is a writer in California.

SIDEBAR: Protect Yourself

  • Ask practices about how their healthcare data is being handled.
  • Ask what records system is being used and what practices are actively doing to protect data.
  • Be observant on how practice staff handles information.
  • Tell physicians if staff exposes medical information in any communication.
  • Be ready to freeze credit accounts if you suspect a breach might occur.