Data Breaches Continue To Increase

After a decade of HIPAA Privacy and Security efforts, data breaches continue to increase. The year 2015 represents a banner year for notable data breaches involving Protected Health Information (PHI) as providers and health plans have faced an increasing number of attacks by hackers, often from abroad. Reports estimate that more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. However, this figure is likely a significant underestimation since most breaches involve less than 500 people and therefore, are not subject to public disclosure.

Earlier in the year, Anthem marked one of the largest data breaches to date with approximately 80 million records exposed. Additionally, there have been a large number of notable PHI breaches in all sectors of the health care industry, many of which are not reported in the media. More recently, a high-profile data breach occurred at UCLA, my alma mater, where hackers broke into the UCLA Health System’s computer network and obtained access to sensitive information of up to 4.5 million patients, hospital officials said. UCLA had failed to take the basic step of encrypting this patient data and the FBI found that the cyber-attack was conducted by a highly sophisticated group of hackers, likely offshore.

In 2008, UCLA had a problem when staff members were found prying into the medical records of celebrities including Britney Spears, Farrah Fawcett, Maria Shriver, and others, leading to the conviction of one person for selling celebrity medical information to the National Enquirer. UCLA paid $865,500 to settle with the OCR. Recently, Jackson Memorial Hospital leaked the medical condition of Jason Pierre-Paul of the New York Giants to ESPN after he was hospitalized with a July 4^th fireworks injury. The hospital had been the subject of three other significant PHI breaches and now faces another headache on the subject. Both UCLA and Jackson Memorial, in addition to the monetary payments, also pay the penalty of having undesirable publicity. Further UCLA has the added burden of sending a huge volume of letters to affected persons, a job no health care provider likes to do.

The question for many is: if huge enterprises with sophisticated system are so vulnerable, what does this mean for everyone else? Is the problem that these organizations are too big to be safeguarded? The reality is that breaches will continue in the foreseeable future because the healthcare sector is driven to quickly build large data systems to house huge amounts of data as they move from paper records to digital patient information. Unfortunately, in building these huge data warehouses and electronic health record systems, organizations have allowed many system weaknesses. Furthermore, there always remains the problem of keeping internal individuals from leaking the information of notable patients.

Betta Sherman, an expert on HIPAA, notes that “historically, the entities with the greatest vulnerability to breaches have been hospitals/health systems, physician practices, and health plans.” Others experiencing problems are outpatient facilities, pharmacies, government agencies, and academic institutions. According to the OCR’s most recent annual breach report to Congress, business associates were responsible for approximately 25% of all breaches affecting 500 or more individuals in 2011 and 2012. Another experienced consultant in this area, Carrie Kusserow, adds that: “the most common reported problems involving PHI relate to impermissible disclosures, insufficient safeguards, complaints from patients getting access to their PHI, inadequate administrative safeguards of electronic data, and disclosure of more than the minimum necessary information.”

Dr. Cornelia Dorfschmid warns organizations that “in order to avoid the risk of breach of PHI, institutional providers need to have baseline security reviews including an annual evaluation of their safeguards of systems containing PHI.” Dorfschmid stated that: “unfortunately, many providers fail to adequately meet this standard and rely upon representations by their IT operational staff – staff that may lack understanding of the complexity of HIPAA requirements.” Further, she added that: “in other cases, provider resources may be limited due to implementation of new systems or due to the need to put out other fires.” She advises that “technical reviews need to focus on proper encryption, application and transmission security, as well as determining how technical safeguards are pushed down the chain (i.e., business associates and vendors).” Technical safeguards must be monitored and combined with administrative reviews to get a handle on controlling risks.

The continued rise in HIPAA data breaches underscores the need for independent security evaluations to identify and correct control weaknesses. It brings to mind the old adage “an ounce of prevention is better than a pound of cure”. In the case of UCLA, the entire University of California system is re-examining data security across all their campuses. Unfortunately, their situation sounds a little like another old adage: “locking the barn door after the horse has been stolen.”