A HIPAA Disaster: The May 2021 Healthcare Data BreachGreg Garner
The year 2021 has been a rough one for the health care industry—especially during the month of May. Hospitals, insurance companies and other medical professionals have all had their data compromised.
The most recent series of breaches occurred in May of this year—the most damaging yet.
Several major health care data breaches occurred in May 2021. The HIPAA disaster left millions of patients vulnerable. They could face identity theft, fraud, and other malicious activities. Also, the reputation of many health care providers took a beating.
In this post, we’ll discuss the major causes of the breaches and what you can do to protect yourself against them. To learn more about the May 2021 health care data breaches, keep reading.
HIPAA Rules and Your Organization
The Health Insurance Portability and Accountability Act is a federal law that legislators passed to protect the privacy, integrity, and availability of an individual’s health information. The HIPAA Privacy Rule includes guidelines for ensuring privacy protection in connection with all uses or disclosures as well as access by individuals who are subject to the regulation.
The most important CARES Act rules, from the perspective of IT professionals, this the mandate to protect patient information. This requirement has indeed bolstered the security of sensitive patient records.
Resultantly, patient electronic health information is now much safer. However, the rules also place a considerable burden on health care organizations.
Failure to do so can gravely impact your organization and those you serve. The best way to get ahead of the curve is by staying up-to-date with the latest HIPAA regulations and ensure that your organization remains compliant. That way, you can avoid nasty HIPAA fines and expensive lawsuits—and instead focus on helping those in need of health care services.
A Brief Overview of HIPAA Rules H3
HIPAA rules say that “covered entities” must protect patient information. Accordingly, it’s critical that health care professionals establish safeguards.
These safeguards might include administrative measures such as risk analyses. They may also include employee training.
Safeguards can also include physical precautions, such as workplace access controls. However, it can also encompass technical safeguards, such as cybersecurity.
As a rule of thumb, organizations must take steps to protect against reasonably anticipated threats. They must also protect against unauthorized use or disclosure of patient information.
Together, these measures protect the confidentiality and integrity of patient health information. They also ensure the availability of one’s own patient information to consumers.
The Worst Month for a HIPAA Security to Date
May 2021 was the worst month ever for data breaches and HIPAA compliance. In total, there were 63 breaches in a single month.
All of these breaches involved 500 or more records. The violations were reported to the Office for Civil Rights during this time.
The norm was two reported breaches a day for the three months prior to the month of May. Now, that average has risen to nearly 55 data breaches per month, up from roughly 30.
Scope of the May Breaches
The May incident includes a range of event types. Most of the incidents were reports of cybersecurity or other IT violations.
These kinds of events accounted for nearly 75% of all of the HIPAA-related troubles that arose in May. Out of 63 total events, they made up 47 of them.
In total, these incidents resulted in the theft or exposure of nearly 6 and a half million patient health care records. This number of exposures is equivalent to nearly 99% of all records breached that month. On average, each one of these breaches resulted in the unauthorized disclosure of over 130,000 records.
Also, whistleblowers reported nine incidents of unauthorized access or disclosure of patient information. These reports involved close to 18,000 individual patient health records. The average amount of records affected per breach was nearly 2,000 records for each of these events.
Meanwhile, there were three reported losses or thefts of patient information. These events involved over 20,000 records.
Finally, there were two reports of the improper disposal of sensitive patient information. These incidents affected nearly 65,000 patients.
For certain, the May numbers highlight a grim reality in the world of HIPAA compliance. Hopefully, others will learn from these unfortunate lessons.
Types of Entities Affected
There’s also a range of covered entity types involved in the May breaches. Among them, 47 are health care providers.
However, only 20 of those incidents directly involved a health care provider. The other 27 incidents were reported by health care providers but performed by a business associate.
Meanwhile, several reported data breaches directly involved business associates of HIPAA-covered entities. Altogether, business associates were present in a total of 31 of May’s data breach reports.
Furthermore, eight May data breach reports involved health insurance plans. Four of them, in part, involved business associates. Finally, there was a single report of a data breach at a health care clearinghouse.
States Affected by May 2021 Breaches
The breaches also took place across a range of states. Altogether, this activity affected 32 states.
Six reports occurred in Texas. Meanwhile, five reports occurred in New York and Ohio.
There were four HIPAA compliance events in California, Illinois and West Virginia. In Mississippi and Missouri, there were three reports each.
Elsewhere, there were two reported breaches in Florida, Maryland, Massachusetts, New Jersey and Oklahoma.
Finally, the following states all experienced one breach each:
There was also an announcement of a HIPAA enforcement action in May. It was the third such OCR action this year.
An OCR HIPAA Violation Response in May
Most settlements have resolved violations of the HIPAA right of access. However, May’s violation involved multiple violations of the HIPAA security rule.
Most often, HIPAA penalties stem from an OCR investigation. For example, the OCR might investigate a data breach or a patient complaint.
However, May’s penalty was unusual. It was the consequence of a compliance investigation.
Here, the OCR investigated a data breach reported by the Department of Veteran Affairs. The event involved a VA business associate—Authentidate Holding Corporation (AHC).
With the right training, you can avoid this kind of undesirable circumstance.
What is HIPAA Training?
HIPAA training is an excellent way to prove that your organization complies with HIPAA regulations. It will also save your organization time in performing due diligence.
Also, HIPAA compliance is an ongoing process. What counts as HIPAA compliance in regard to training today will quickly go out of date when the rules change.
HIPAA rules require that covered entities train their organizations in compliance. Furthermore, they must provide thorough training. This kind of training is critical for enabling employees to competently manage their roles.
It’s critical that employees know how HIPAA affects their work so that they can protect themselves and their organizations.
What is HIPAA Certification?
After completing HIPAA training, you’ll better understand your organization’s problem areas regarding HIPAA compliance. It will improve overall compliance across the board.
HIPAA training certification demonstrates that your business conducts itself ethically. It also shows that you comply with HIPAA laws.
As a result, HIPAA certification can improve the reputation of your organization or firm. Most importantly, it’s a tool that will empower you to build trust.