Healthcare Hacks Fell for Third Straight Month, US Health Department Reports

Healthcare, cybersecurity, breaches

Are healthcare sector investments in cybersecurity paying off? It’s looking that way.

The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), said that February 2022 saw a new low in hospital and health system data breaches.

It’s encouraging news, given that 2021 is generally considered the worst year on record for healthcare data breaches. Health organizations were ordered to report all 2021 data breaches by March 1 under the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.

“For the third successive month, the number of data breaches reported to the HHS’ Office for Civil Rights (OCR) has fallen,” HIPAA Journal reported. “Forty-six healthcare data breaches of 500 or more records were reported to OCR in February — an 8% fall from January.”

See also: Agency Warns of Increased Cyberattacks on Healthcare Targets

Even so, the Health Department still received an average of two reports daily about healthcare-related data breaches over the past 12 months. From March 2021 through February this year, that meant 723 reported data breaches of 500 or more records.

Healthcare Hacks Down, But Not Out

HIPAA Journal said the 46 incidents reported in February compromised the healthcare records of roughly 2.5 million patients — an alarming figure that the publication nonetheless called “considerably lower than the average 3.5 million records breached” monthly in 2021.

According to the latest tally, at least about 42.1 million healthcare records were exposed over the March 2021 to February 2022 period.

Things are worst on the front lines, with the department noting that providers were the most affected entity in February, reporting 35 breaches involving around 1.6 million individuals. Health plans reported six breaches involving 21,284 records, and business associates of HIPAA-covered entities self-reported five breaches involving 633,584 records.

While the current downward trend shows that anti-fraud measures taken by healthcare organizations appear to be hitting back, Shannon Burke, senior vice president and general manager, health systems, at Synchrony, recently told PYMNTS that financial data is “not something that you can separate from the medical journey.”

“As we look at the whole journey, we have woven so much of financial and medical together, yet one really negative payment experience can absolutely overshadow for a patient any positive clinical outcome,” Burke said.

Related: Why Protecting Health and Financial Data Is Not About Your Sprained Ankle

Stolen Data ‘Lives on Forever’

On Monday (March 28), the OCR reported legal actions against five health practices found not to be complying with — or outright violating — HIPAA record and access standards.

In a press release on the HHS website, OCR Director Lisa J. Pino said, “Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously.”

On March 24, news site Modern Healthcare reported on 10 recent cybersecurity breaches at hospitals and health systems, including a January attack on Florida-based provider Broward Health in which hackers breached servers holding approximately 1.3 million records.

Speaking with PYMNTS’ Karen Webster less than two weeks after the New Year’s Day breach at Broward Health and giving a sense of the danger, Featurespace founder Dave Excell said stolen health information “lives on forever.”

“Your medical history doesn’t change — it’s like your fingerprints,” Excell continued. “Once that information is ‘out there,’ it can be used in different ways.”

Read more: Healthcare Breaches Give Fraudsters New Tools for ‘Targeted’ Crowdfunding Scams