40 Million

The US state with the highest population is California.  At the end of 2019, it was 39.56 million.  That’s A LOT of people, right?

Yes.  However, according to the recent study published by Fortified Health Security, 40 MILLION Americans were affected by a healthcare data breach in 2019 alone.  That represents an increase of 65% over the total of the year prior.

How Do They Do It?

First and foremost, they hack into various systems.  This happens most often because of human error.  That is the common denominator in the majority of breaches of any kind.   Phishing emails are an easy way to get unsuspecting employees to reveal passwords or deploy methods that allow cybercriminals to easily access the systems illegally.

In the Fortified Health Security report, it was revealed that after analyzing data from 2009 through 2019, more than 189 million records have been breached during that time.  The most targeted organizations were those that were providers – and they were the most successful for a hacker to breach.  In 2019, more than 334 provider entities were affected, allowing access to over 22.7 million patient details.  Health plans and healthcare business associates were next in line for the most often hacked businesses.

The Fines Add Up

HIPAA breaches can often result in fines and penalties issued by the Office for Civil Rights (OCR). OCR was able to accrue eight resolution agreements in the first 10 months of the year.  These were accompanied by a fine, and the average amount of each fine was $1.6 million – and that also meant corrective action plans that had to be in place, which could uncover other possible flaws in an organization’s HIPAA compliance, such as gaps in their policies and procedures.

The rate at which data breaches are happening isn’t increasing slowly and steadily, it’s rocketing past any expectations we could have set.  As a healthcare organization, it’s important to take a step back and ensure that you have HIPAA and cybersecurity policies in place, action plans outlined, and corrective action plans in place for when a breach occurs.  While it used to be common to assign the person at the front desk the role of overseeing all things, this should ideally be a qualified individual who has a dedicated role as a HIPAA Security (and in some cases) Privacy Officer.  Ongoing programs should also be in place to train employees against the tactics that are being used daily to take down their business through their human error.