How Much Do Data Breaches Cost Businesses?
Data breaches cost businesses millions in fines, lawsuits, and lost customers. Learn the true financial impact and how to reduce your risk.
Read more about How Much Do Data Breaches Cost Businesses?
Top Ten Healthcare Data Breaches of 2016
Partner
2016 was unkind when it comes to health care system data breaches. The top ten healthcare data breaches of 2016 affected more than 16 million people. There were more than 300 incidents of hacking and data security breaches throughout the year. The federal government tracks instances of healthcare data breaches and publishes its report for public inspection.
Top Ten Healthcare Data Breaches of 2016
The U.S. Department of Health and Human Services maintains a listing of the top ten healthcare data breaches for 2016. More than 16 million individuals were impacted by a healthcare system data breach in 2016. While this is far fewer affected individuals than in past years, there is still much concern surrounding healthcare data breaches, as these attacks are becoming more frequent and more complicated. Healthcare systems are four-times as likely to be the victim of ransomware. The top ten healthcare data breaches in 2016 include:
- Banner Health, with 3.6 million records affected by a hacking incident.
- Newkirk Products, with 3.5 million records affected by a hacking incident.
- 21st Century Oncology, with 2.2 million records affected by a hacking incident.
- Valley Anesthesiology Consultants, with 883,000 records affected by a hacking incident.
- County of Los Angeles Departments of Health and Mental Health, with 749,000 records affected by a hacking incident.
- Bon Secours Health System, with the unauthorized access and/or disclosure of 652,000 records.
- Peachtree Orthopedic Clinic, with 531,000 records affected by a hacking incident.
- Radiology Regional Center, with the loss of 483,000 records.
- California Correctional Health Care, with the theft of 400,000 records.
- Central Ohio Urology Group, with 300,000 records affected by a hacking incident.
Amongst the top ten healthcare data breaches, more than 11 million patient records were potentially exposed, which is roughly two thirds of all healthcare data breaches for 2016. And 2017 has only been underway for a week or so and there has already been a data breach at the MetroPlus Health Plan in New York. Given the trend of the last two years, we should expect even more data breaches in 2017.
Ransomware Attack Levels Unprecedented in Health Industry in 2016
The U.S. Department of Health and Human Services’s listing does not include instances of ransomware attacks made on healthcare systems. But that does not take away from the fact that ransomware attacks on health care systems were at an all-time high. There was more than a 60% increase in the number of ransomware attacks on healthcare systems in 2016 over 2015, with no signs of slowing down in future.
Contact a Healthcare Cybersecurity Lawyer
Cyber threats are continually evolving and changing, and as such so too are the laws governing cybersecurity issues in healthcare. Healthcare systems are under attack like never before and patient health records are being exposed at unprecedented rates. When a healthcare system experiences a hack, the healthcare system has certain obligations to patients whose records are exposed concerning notification and addressing the data breach. Revision Legal has worked with healthcare entities to manage their cyber security legal issues. We can assist you as you manage the aftermath of a security data breach. Contact us using the form on this page or call us at 855-473-8474.
Why Healthcare Data Is So Valuable to Attackers
Healthcare records are among the most valuable data on the black market. A complete electronic health record containing a patient’s name, date of birth, Social Security number, insurance information, and medical history can sell for anywhere from $10 to several hundred dollars on dark web marketplaces — far more than the typical $1-$2 commanded by a stolen credit card number. Credit cards can be cancelled; medical histories cannot be changed. The permanence of medical data, combined with its utility for insurance fraud, prescription fraud, and identity theft, makes healthcare databases the most attractive targets in the breach landscape.
The 2016 breaches in the top ten list reflect the full range of healthcare sector attack vectors. Banner Health’s 3.6 million record breach occurred when hackers gained access to systems processing payment card data at food and beverage outlets at Banner’s facilities — an example of how attackers can use lower-security entry points within a healthcare organization’s broader network to ultimately access more sensitive systems. Newkirk Products, a healthcare ID card vendor, was breached through its own network, illustrating the business associate risk that HIPAA’s extended reach to business associates was designed to address.
HIPAA’s Response Framework: What Healthcare Entities Must Do After a Breach
Each of the organizations that suffered breaches in the 2016 top ten list was subject to HIPAA’s Breach Notification Rule, 45 CFR §§ 164.400-414. The Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. The notification framework has three components:
- Individual notification: Written notice to each affected individual within 60 days of discovering the breach, provided by first-class mail or, if the individual previously agreed to electronic notice, by email. The notice must describe the breach, the types of PHI involved, steps individuals should take to protect themselves, and the covered entity’s contact information.
- Media notification: For breaches affecting 500 or more residents of a state or jurisdiction, prominent media outlets in that state must be notified within the same 60-day window. All ten organizations in the 2016 top ten list exceeded this threshold by enormous margins.
- HHS notification: All HIPAA breaches must be reported to HHS OCR. Breaches affecting 500 or more individuals must be reported immediately (within 60 days of discovery); smaller breaches may be reported on an annual basis using the HHS web portal.
The Business Associate Problem: Third-Party Vendor Risk in Healthcare
Several of the 2016 top ten healthcare breaches occurred not at the covered entity itself but at a business associate — a vendor or contractor that handles protected health information on the covered entity’s behalf. Newkirk Products and 21st Century Oncology both illustrate the business associate breach risk. The HIPAA Omnibus Rule, effective since 2013, made business associates directly liable for HIPAA violations and directly subject to HHS OCR enforcement. A business associate’s breach is also a covered entity’s breach for notification purposes, meaning that the healthcare provider whose patients’ data was held by a breached vendor must complete the full HIPAA notification process.
Healthcare organizations should ensure that their business associate agreements (BAAs) not only satisfy HIPAA’s minimum requirements but also include specific cybersecurity obligations, breach notification timeframes shorter than HIPAA’s 60-day window (to give the covered entity time to complete its own notification), indemnification provisions, and audit rights. BAAs that were drafted before the Omnibus Rule or that were never updated may be legally inadequate and should be reviewed by healthcare privacy counsel.
If your healthcare organization has experienced a data breach or needs help managing HIPAA compliance and breach response, the healthcare data breach attorneys at Revision Legal are available to assist. Contact us using the form on this page or call us at 855-473-8474.
HIPAA Enforcement Trends Following the 2016 Breach Wave
The scale of the 2016 healthcare breach wave triggered a significant increase in HHS OCR enforcement activity in the following years. Several of the organizations involved in the 2016 top ten — including 21st Century Oncology — faced HIPAA enforcement investigations. 21st Century Oncology paid $2.3 million to HHS OCR in a settlement agreement that included a comprehensive corrective action plan, demonstrating that large-scale healthcare breaches reliably result in OCR scrutiny and substantial settlements.
The OCR’s enforcement priorities in the wake of the 2016 breach surge focused on organizations’ failure to conduct adequate HIPAA Security Rule risk analyses, failure to implement access controls limiting who could reach PHI, and failure to have business associate agreements in place with all vendors handling PHI. These are foundational compliance requirements, and their absence in breached organizations underscored that many healthcare entities were not meeting baseline HIPAA security standards.
State attorneys general have also become more active in healthcare breach enforcement, with several states asserting jurisdiction over healthcare organizations that breached their residents’ data. New York, California, and New Jersey have been particularly active. Healthcare organizations that have experienced a breach face potential exposure from both federal OCR enforcement and state AG investigations — making early engagement of experienced healthcare privacy counsel critical to managing the regulatory response. Contact Revision Legal using the form on this page or call us at 855-473-8474.
Image credit: Mayur Patel
Extra, Extra!
Related Posts
Top Data Breaches of 2020: Ransomware on the Rise
Ransomware dominated 2020’s biggest data breaches. A look at the most damaging incidents and the cybersecurity lessons every business should learn.
Read more about Top Data Breaches of 2020: Ransomware on the Rise
Repurposing Pandemic Data: Legal Risks Businesses Face
Data collected during the COVID pandemic for one purpose cannot simply be repurposed. Here’s what businesses need to know about the legal risks.
Read more about Repurposing Pandemic Data: Legal Risks Businesses Face