In 2022, the top 10 healthcare data breaches will be caused by vendors providing services to health systems or medical practices. Therefore, providers must prioritize security and abide by HIPAA regulations in order to remain compliant.
Community Health Network in Indiana recently alerted patients of a breach involving third-party tracking technologies.
1. Shields Health Care Group
Shields Health Care Group, a Quincy-based medical imaging provider, was recently affected by a hacking incident affecting up to two million patients. This incident ranks as the second largest healthcare data breach this year according to an update on the Department of Health and Human Services’ breach reporting portal.
Data affected includes names, Social Security numbers, addresses, insurance information, medical treatment and billing details. Unfortunately, the company has yet to determine if any of this information was used for identity theft or fraud.
The Shields breach serves as a stark reminder that cyberattacks can have far-reaching effects for patient data, particularly when many healthcare organizations rely on an extensive network of third-party vendors.
Healthcare organizations must carefully scrutinize their vendor relationships to guarantee they adhere to best practices in data security and privacy. This includes verifying they are compliant with HIPAA, which could reduce liability if a breach occurs.
2. OneTouchPoint
In 2022, the majority of the 10 largest healthcare data breaches will be caused by vendors and business associates that access private information. These vendors provide services to hospitals, health systems, medical practices, insurers and other companies with sensitive health data.
In April, Wisconsin-based printing and mailing vendor OneTouchPoint was breached, exposing the personal information of 4.1 million individuals. This breach affected 34 healthcare organizations as well as over 40 health insurance carriers and medical providers.
According to the lawsuit, OneTouchPoint suffered a data breach due to a ransomware attack on its servers that were accessed by the attacker. As a result, data including patients’ names, member IDs, health assessment information and other personal details was exfiltrated from these servers.
3. Advocate Aurora Health
Advocate Aurora Health, which merged with Atrium Health in May, experienced a data breach that exposed up to 3 million patients’ personal information. On its website in Downers Grove and Milwaukee, they announced that they have disabled “pixels,” an ad tracking technology used on Epic patient portal, MyChart and LiveWell app and website.
According to a statement released by the company, patients’ health information had been exposed due to internet tracking technologies that included Google and Facebook’s parent company Meta. As a result, the health system has disabled pixel technology and launched an investigation into how this data was leaked.
According to attorney Andrew Mahler, vice president of privacy and compliance at CynergisTek, most of 2022’s 10 largest healthcare data breaches can be linked back to vendors that accessed or shared data – such as third-party health insurance providers, clinical research organizations and medical record storage firms. Such incidents emphasize the need for strong threat management as well as robust security policies and procedures in place at these organizations.
4. Infinity Rehab
In 2022, the majority of the 10 largest healthcare data breaches will involve vendors providing services to healthcare organizations. These firms had access to patient information such as names, Social Security numbers, dates of birth, medical diagnoses/conditions and treatment details.
Shields Health Care Group experienced one of the most serious breaches when their systems were breached and patient data stolen in March. A few weeks after notifying patients and their families about this incident, management decided not to press charges against anyone involved.
Another significant breach occurred at Advocate Aurora Health. This healthcare management system had more than 3 million patient records compromised due to a cyberattack.
Data breaches often involve ransomware and Cerber, which is notorious for holding files hostage and demanding money in return. Although this type of ransomware can be difficult to detect and spread, it remains highly hazardous.
5. Avamere Health Services
Most of the 10 largest healthcare data breaches in 2022 can be linked to vendors or providers with a history of cybersecurity issues. Avamere Health Services, which operates over 80 senior living and healthcare businesses including nearly a dozen home care and hospice agencies in Wilsonville, OR, is just one example.
Recently, the company reported that an unauthorized party had extracted files and folders from a third-party hosted network between January 19, 2022, and March 17, 2022. These affected documents contained identifiable protected health information such as full names, addresses, dates of birth, driver’s license/state ID numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results information and medical diagnosis/conditions info.
Avamere has notified all affected individuals and is offering complimentary credit monitoring services. Furthermore, the company has developed best practices for protecting patient data security, offering a complimentary annual HIPAA audit to all impacted patients as an extra measure.
6. Broward Health
In 2022, the 10 largest healthcare data breaches are believed to be caused by vendors who failed to protect their clients’ records. Not only did these vendors not secure patient information, but they may have also failed to encrypt files or implement robust network security measures.
According to IBM’s 2022 Cost of a Data Breach report, data breaches cost hospitals and health systems millions of dollars in damages as well as damaging their reputations. They also increase cyber insurance premiums, necessitate costly cybersecurity remediation efforts, and can result in class action lawsuits.
Hackers frequently attempt to trick healthcare workers into opening phishing emails, potentially leading to the compromise of personal information. According to IBM Security’s recent study, this occurs more than half the time.
7. Connexin
The healthcare industry has experienced some of the highest volume and cost cyberattacks, with reports that another round is imminent. To stay safe, healthcare organizations need to enhance their cybersecurity measures as well as protect patients’ data.
In 2022, most of the top 10 largest healthcare data breaches will be due to vendors who failed to protect patient information. This poses a major concern for any business associate that provides services to healthcare organizations; it’s especially critical in cases of hospitals and health systems with relationships with third-party contractors.
OneTouchPoint, a printing and mailing vendor, was the victim of a ransomware attack that exposed 4.11 million private medical records. Although no specifics were released about the breach, it’s believed to have been an HIPAA violation. Furthermore, they delayed notifying affected organizations and their patients for months – another breach of HIPAA Privacy Rule.
8. Choice Health Insurance
In 2022, the 10 largest healthcare data breaches will primarily involve service providers like health insurers and third-party vendors; however, these breaches can also impact hospitals and health systems.
An analysis by IBM Security indicates the average cost of a healthcare data breach will reach $10.1 million in 2022, an increase of 42% over the prior year. This amount includes clean-up expenses, lost business opportunities, class action lawsuits and financial penalties from regulators.
Choice Health Insurance, which sells Medicare products on Humana’s behalf, experienced a data breach that affected 22,767 individuals. A notice from both Choice Health and Humana stated the breach occurred due to an Internet security configuration error that allowed access to the database through the internet.
9. Demigos
Healthcare providers have a special responsibility to safeguard patient data, making cybersecurity an integral part of their work. They handle connected medical devices and electronic health records, work closely with payers, and must adhere to HIPAA and HITECH regulations.
There are several steps your healthcare organization can take to safeguard against a data breach, such as updating software regularly, employing encryption techniques and adhering to governmental regulations. Furthermore, it’s essential that you avoid third-party vendors who don’t meet your security standards.
In 2022, most of the 10 largest healthcare data breaches were caused by vendors accessing data without authorization. Nevertheless, several incidents could also be attributed to providers neglecting to consider potential privacy implications when installing tracking tools on their websites or failing to follow HIIPAA compliance requirements for these tools.