COVID Pushes Up HIPAA Violations Last Year to Second-Straight Record
By Myrle Croasdale
U.S. health care data-privacy violations soared 26% last year, federal data show, setting a record high for the second-straight year.
Breaches involving 500 patient records or more reached 647 in 2020, versus 512 incidents in the year before, according to the U.S. Office for Civil Rights (OCR).
Year-over increases had been gradual until the past two years, the data showed. Hacking and IT incidents accounted for the majority of the reported violations, according to OCR.
Part of the U.S. Department of Health and Human Services, OCR enforces privacy rules created by the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.
“Hacking and IT incidents (including ransomware) have increased significantly in the health care industry in recent years, accounting for 67% of the breaches of unsecured protected health information (PHI) affecting 500 or more individuals that were reported to the department in 2020,” OCR told Digital Privacy News.
HIPAA requires health care providers, health plans, health care clearing houses and business associates of such companies to protect the privacy of patients’ medical records and personal information.
Several factors are driving this trend, experts told Digital Privacy News.
Information Gold Mine
Brian Lapidus, who leads Kroll Inc.’s global identity theft and breach notification practice, said cybercriminals were drawn to medical-record data because it remained plentiful.
“Health care, in general, has a treasure trove of information — given what they do,” Lapidus said.
“Name, date of birth, address, Social Security number, diagnosis information, credit-card payment information,” he continued. “Medical records are literally a one-stop shop for personal information that could be used for identify theft, for fraud.”
Larry Ponemon, a data-privacy expert and researcher, agreed.
“Medical records are literally a one-stop shop for personal information that could be used for identify theft, for fraud.”Brian Lapidus, Kroll Inc.
He leads the Ponemon Institute, a research think tank in Traverse City, Mich., that focuses on privacy, data-protection and information-security practices.
“If I wanted to create an identity credential, I would want to get as much information as possible,” Ponemon told Digital Privacy News.
“The average health care record has personal information, from your health condition to your credit card used for copays.”
Medical records are a perfect source for identity thieves, he said, and many people have access to that data.
In fact, Ponemon said, more health care data breaches come from insiders — as they intentionally steal data or inadvertently give access to hackers.
In the past 24 months, he observed, the number of health care contractors has doubled, increasing the number of insiders who may not have experience with HIPAA compliance.
Another vulnerability in health organizations is that they tend to have flat networks, Ponemon noted. Once hackers find a way in, they can access the entire system.
Remote Work Explosion
The shift to remote work because of the global COVID-19 pandemic has been harder for those in health care, Kroll’s Lapidus said, especially for small and medium-sized systems.
Many corporations in finance and other tech-reliant industries had strong virtual private networks (VPN) in place when the pandemic hit and could shift their workforces to remote access overnight.
This was not the case for many in health care.
“Health care organizations are not used to working from home and were not as prepared,” Lapidus told Digital Privacy News. “The fast switch to remote work offered cybercriminals an opportunity to move in.”
More broadly, remote work from the pandemic has heightened health care’s vulnerability, experts said.
“Hacking and IT incidents (including ransomware) have increased significantly in the health care industry in recent years.”U.S. Office for Civil Rights.
“Working from home can be deadly,” Ponemon said, explaining that people can be more relaxed with cyberhygiene at home.
Further, if security protocols get in the way of delivering efficient patient care, some clinicians may find a work around.
“You can only have so many top priorities,” Ponemon said, and clinicians are focused on patient care.
In addition, studies have found doctors to be the least likely to take privacy issues seriously during the normal course of business, he said.
They may use the same password over and over, for instance, so they don’t have to worry about getting locked out of a system while caring for patients.
Or, they may leave information on a screen or take other shortcuts to avoid delays in delivering care, he said.
“These are good people — but the culture of health care, the focus, is on the health of the patient,” Ponemon said. “Privacy and cybersecurity are not as important as the patient.”
COVID also forced a rapid transition to telemedicine, which further created vulnerabilities, Ponemon said.
“The shift to telehealth extended providers’ digital footprint and elevated patient data risk,” he told Digital Privacy News. “Early on, they may have used FaceTime to communicate.
“The shift happened so fast — some organizations may not have known where to start,” Ponemon added. “Today, they are far more attuned to the need for a security footprint than they were in March 2020.”
But implementing HIPAA-compliant telemedicine applications and software is complex, Lapidus said.
Organizations had to determine whether to store data onsite or onto a storage cloud. They had to set up authentication processes.
Those new to telehealth may not have known where their vulnerabilities even were, he said.
Gray Market Saboteurs
Lapidus said COVID created another opportunity for cybercriminals: The shortage of personal protective equipment (PPE) early on had health care workers scrambling.
Gray marketers exploited this.
“Cybercriminals were creating bogus websites selling PPE,” he said. “They’d send a link saying, ‘You can get PPE here.’
“The average health care record has personal information, from your health condition to your credit card used for copays.”Larry Ponemon, Ponemon Institute.
“People are clicking on that link,” Lapidus told Digital Privacy News, “and it is putting malware on your computer or collecting information from you to create accounts in your name.”
Myrle Croasdale is a Minnesota writer.
The High Price of Security Breaches
HIPAA violations can be costly in terms of the labor and the consultants needed to repair breaches. They also can result in fines.
But there is a higher price, data-privacy expert Larry Ponemon said.
“The biggest cost is lost business and the public loss of status,” he told Digital Privacy News.
Health care, he noted, historically is underfinanced — and information-technology investments tend to come in second, third or fourth place to new hospital wings or the purchase of the latest MRI equipment.
“It’s difficult to have state-of-the-art cybersecurity when your information technology is not a dedicated part of the budget,” Ponemon said.
— Myrle Croasdale
- U.S. Department of Health and Human Services: Office of Civil Rights HIPAA Breach Data Portal