For the second year in a row, the BakerHostetler Data Security Incident Response Report demonstrates that healthcare breaches continue to be the highest percentage of incidents that we handled in 2015. This year’s Report provides insights generated from the review of more than 300 incidents that our attorneys advised on in 2015. The report confirms the prevalence of public healthcare data breaches as a result of the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule.
Why are healthcare breaches occurring more frequently?
Does the frequency of healthcare breaches mean that there are more healthcare breaches occurring or that more are reported? The answer is “Yes.” We are seeing more healthcare breaches occur. Further, since the implementation of HITECH in 2009, covered entities under HIPAA are required to report breaches to patients and the Office for Civil Rights (OCR), and for any breaches that involve 500 or more individuals in a single state or jurisdiction, they are required to issue a press release. Additionally, more and more states are including health information in the definition of “personal information” under the state statutes triggering a state obligation to notify affected residents. The Centers for Medicare & Medicaid Services (CMS) and the Joint Commission have opened investigations following certain provider breach reports. As a result, more healthcare breaches are also being reported, and our experience shows that the causes and severity of these breaches are changing, as well.
How are healthcare breaches happening?
In 2015, we saw a change in how healthcare breaches happen. Prior to 2014, hacking and phishing in healthcare breaches were rare in our experience. We began seeing a shift beginning in 2014 that continued throughout 2016. Although employee action or mistake continues to be a leading cause of healthcare breaches, healthcare is being affected by phishing/hacking/malware attacks just like any other industry. Training and other technical safeguards (such as multifactor authentication for remote access) must be considered by covered entities and their business associates. The shift in the type of attacks has also driven an increase in the severity of healthcare breaches because, in these types of breaches, there is often a lack of log evidence to demonstrate that no breach occurred.
What happens after a healthcare breach is announced?
While many of the breaches we handled in 2015 for healthcare organizations involved fewer than 500 individuals, 2015 did see a rise in very large healthcare breaches. The average number of individuals notified in healthcare breaches worked on by our team was 340,000. Severity in terms of regulatory scrutiny was also present. Any healthcare breach involving over 500 individuals will be investigated by the OCR, which is borne out in our experience as well as in messaging from the OCR. 2015 also saw an increased interest by state regulators in healthcare breaches, particularly when both HIPAA and state laws are triggered. In conjunction with the OCR investigations, state attorneys general are also responding to healthcare breaches in the form of civil investigative demands and by issuing their own separate consent orders. Further, health plans also have to answer to additional regulatory bodies, such as state departments of insurance and the National Association of Insurance Commissioners, following breach notification.
OCR and state attorneys typically look to safeguards they consider low-hanging fruit in their investigations:
- privacy and security awareness training of employees;
- policies and procedures;
- security risk analyses and risk management plans;
- intrusion detection and firewalls; and
- business associate agreements and vendor management.
Having these basic things in place not only helps during an OCR or state regulatory investigation, but also provides basic protections to help prevent breaches from happening in the first place.