January 19, 2017 — Now that 2016 has wrapped up, the numbers coming out of the Department of Health and Human Services are stark – at least if you are an entity subject to HIPAA/HITECH. The dollar amount of financial settlements is up, both in total and per breach; the number of reportable data breaches has increased; and the number of patient records accessed was the second largest on record. There are multiple factors at play here, including increased enforcement activity by HHS Office of Civil Rights (HHS OCR), more stringent reporting requirements, and the increasing use of electronic storage of records and the additional vulnerability to cyberattack that type of recordkeeping represents.
During the course of 2016, OCR nearly tripled its previous financial settlement intake record ($8 million in 2014) to a new high of $23.5 million. The largest settlement was made with the Chicago-based Advocate Health Care Network, one of the largest health systems in the country, which agreed to pay $5.55 million and adopt a corrective action plan. Other big settlements included NewYork-Presbyterian Hospital and Columbia University at $4.8 million and Cignet Health at $4.3 million. The average cost per settlement increased as well – up to $1.8 million.
The data seems to suggest that following multiple warnings over the last few years, OCR is in fact, “taking the gloves off” when it comes to enforcement and issuing stiff penalties for noncompliance. Pressure on HHS from the legislative branch has probably pushed matters along as well, as legislators respond to the demands of constituents for tougher enforcement and bigger financial penalties for entities that are failing to safeguard their personal health records.
The so called “Wall of Shame,” a list of breaches of unsecured protected health information affecting 500 or more individuals maintained by the HHS OCR, shows 326 breaches were reported in 2016. This number include everything from major hacking incidents to loss, theft, and accidental disclosures. The numbers on cyberattacks are truly alarming. Through the end of 2016, the data captured by HHS OCR indicates that 65 major cyberattacks hit healthcare organization servers this year, up from 14 in 2015, marking a nearly 5-fold increase in the number of reported attacks. Following cyberattacks and hacking, breaches also occurred through theft (62), improper disposal (7), unauthorized access/disclosure (130), and loss (16).
While some increase in the number of reported breaches in recent years may be due to changes in reporting regulations, the astounding leap in the reported number of cyberattacks is a strong indicator that hospitals and other medical providers are not keeping pace with technological changes that would enable them to defend against increasingly sophisticated cybercriminals. IT experts point to two primary vulnerabilities in healthcare: medical device hijacking and an increased use of ransomware.
Also according to the “Wall of Shame,” the largest number of individuals affected by a breach was reported by Banner Health in August. In that instance, nearly 3.7 million people had their personal health information disclosed due to a hacking incident. Runners up included Newkirk Products, Inc. at 3.5 million and 21st Century Oncology at 2.2 million. Overall, nearly 16.6 million patient records were possibly compromised. While this is a major downturn in the overall numbers from 2015, when over 113 million patient records were affected (largely due to the massive breach at Anthem which hit over 80 million patients), the number still represents the second highest ever recorded since HHS OCR began tracking the data.
As in years past, healthcare providers are reporting the vast majority of breaches in 2016 with 253 reported breaches, followed by insurers at 51, with Business Associates making up the remainder.
There is no reason to suspect that the trends of 2016 won’t be continuing into 2017, with ever increasing cyberattacks targeting the healthcare industry, leading to increased disclosure of protected patient information and ultimately, for many entities, costly penalties. Going forward, healthcare entities must implement vitally important security practices and adopt basic safeguards like anti-malware tools, firewalls, and encryption. In addition to upping their IT game, every business subject to HIPAA/HITECH should take action to update compliance policies and safeguards to help prevent organizational failures to safeguard protected information and to account for emerging threats to that information, including conducting due diligence on business associates and enforcing business associate agreements. The Health and Pharmacy Law attorneys at FisherBroyles can provide guidance on HIPAA and Data Security issues related to protected health care information. Contact any of the following attorneys for additional information.