United States: How Did They Get My Protected Health Information?

It is no secret that protected health information (or "PHI") is more and more at risk for cybersecurity attacks. In 2022 (the most recent year this statistic is available), the Department for Health and Human Services Office for Civil Rights ("OCR") received over 30,000 new complaints alleging violations of HIPAA and, in addition to other efforts, completed over 800 compliance reviews, requiring entities to take corrective action or pay civil money penalties.

How do these breaches most commonly occur?

Hacking incidents were the largest category of breaches in 2022, comprising 77% of reported breaches. OCR further reports that over the past five years, there has been a 256% increase in reported significant hacking breaches (affecting over 134 million individuals in 2023 alone) and a 264% increase in reported breaches resulting from ransomware attacks. Ransomware is a type of malware (malicious software) designed to deny access to a user's data, usually by encrypting the data with a key known only to the hacker who deployed the malware until a ransom is paid.

OCR recently reported settling an investigation of a ransomware attack affecting the PHI of over 14,000 individuals. In 2019, a Maryland-based behavioral health practice reported its network server had been infected with ransomware, resulting in the encryption of company files and the electronic health records of all patients. OCR's investigation uncovered evidence that the practice did not comply with HIPAA's privacy and security rules by failing to have a process in place to evaluate risks and vulnerabilities, failing to implement appropriate security measures, and failing to sufficiently monitor its systems' activity to protect against a cyber-attack. Under the terms of the settlement, the practice was required to pay $40,000, and a three-year corrective action plan was imposed.

How can your covered entity avoid a breach of PHI through hacking or ransomware and a corresponding investigation and penalties?

The OCR has some suggestions:

• Review vendor relationships to ensure appropriate business associate agreements are in place that address breach obligations;
• Regularly conduct risk analysis and risk management efforts;
• Implement audit controls to record and examine information system activity;
• Mandate multi-factor authentication for access to PHI;
• Encrypt PHI;
• Incorporate lessons learned from prior security incidents; and
• Provide and reinforce regular training

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.