Summary

  • There were 595 reported healthcare breaches in 2022, affecting more than 40 million individuals. 
  • For covered entities looking to improve HIPAA compliance, analyzing these breaches and learning from other’s mistakes is a wise idea.
  • Each breach is different, but there’s a few common themes: failing to notify the OCR of violations, poor data protection policies and low zero trust maturity.

Warren Buffet once said: “It’s good to learn from your mistakes. It’s better to learn from other people’s mistakes.” 

What’s that got to do with HIPAA? Well, whenever the OCR or FTC dolls out a penalty for a HIPAA violation, they also provide a handy document explaining why they gave out the fine, and how the covered entity responsible failed to meet regulatory requirements. 

Already, there’s been 595 reported healthcare breaches in 2022, affecting more than 40 million individuals. Plus, if you head to OCR’s famous wall of shame, you’ll find hundreds of companies that are currently under investigation for non-compliance with HIPAA. 

Going back to Buffet’s famous quote, there are a ton of HIPAA breaches that organizations can learn from. By gaining a better understanding of where other companies are going wrong, you can take a proactive approach to improving compliance, so you never land in the hot seat. 

With that in mind, we’ve compiled a list of the top HIPAA breaches in 2022. 

As a little background, some of these incidents happened prior to this year, but the lengthy settlement process means that the OCR has only just got around to reaching a settlement. For some of the cases, the breaches happened this year, meaning the cases are still under review and the cost of the fine is TBD. 

To that end, we’ve procured this list based on incidents that have either involved huge fines or, if they occurred this year, exposed a huge number of patient records. 

There’s a lot to learn, so let’s get started! 

HIPAA Breach #1

Organization: Oklahoma State University – Center for Health Sciences

Cost: $875,000

How it happened

In 2018, Oklahoma State University reported a data breach to the OCR, after a threat actor managed to compromise one of the company’s web servers, giving them access to the PHI of almost 300,000 patients. The data stolen included a wealth of sensitive information, such as  names, dates of birth, contact details, treatments, Medicaid numbers, healthcare provider names and dates of service.

To make matters worse, the University was two years late reporting the incident. The hacker managed to gain access back in 2016! Plus, the entity discovered the breach in 2017, and decided not to report it until 30 days after the 60-day requirement that HIPAA has in place.  

When the OCR investigated the company, they found it was in violation of several other HIPAA requirements. It had failed to conduct a proper risk analysis, put in place audit controls and didn’t have an incident response plan. 

How to avoid a similar incident 

Oklahoma State University went wrong in a number of ways. Overall, it failed to really consider the value of the PHI it held, and didn’t put in place the proper controls to protect this data.

To prevent a similar incident in your organization, you need to understand where your PHI is stored, gain a clear understanding of the risks to it, and put in place adequate safeguards to protect it. You can do this by implementing data discovery, combined with data loss prevention (DLP), to identify, classify and secure PHI across your organization.

In today’s climate, it’s vital to remember that a lot of PHI may be swirling around cloud environments like Slack, Google Workspace and Box. Make sure to use cloud based DLP tools to discover and protect your PHI in these apps. 

HIPAA Breach #2

Organization: New England Dermatology and Laser Center (NEDLC)

Cost: $300,640

How it happened

For years, NEDLC employees had engaged in the unscrupulous practice of emptying specimen containers—with labels covered in PHI-–into trash cans in the company’s parking lot. The labels had details like patient names, dates of birth and medical information – all of which require stringent protections under HIPAA. 

One day, a security guard working for the company noticed the containers in the trash and raised the issue internally. This led the NEDLC to come clean to the authorities. But their gesture of good will didn’t diminish their fine. They were charged just above $300,000 by the OCR for improper disposal of PHI and failure to maintain appropriate data safeguards. 

How to avoid a similar incident 

This breach underscores the importance of protecting data physically, as well as digitally. Luckily, It’s pretty easy to avoid a similar breach in your company. Don’t dispose of physical materials with PHI on them without first making it unreadable or indecipherable.

HIPAA Breach #3

Organization: Memorial Hermann Health System

Cost: $240,000

How it happened

The Memorial Hermann Health System was fined a whopping $240,000 after a complainant’s request for records was not fulfilled for 564 days! That’s over 504 days more than the law states. 

As the OCR noted when it gave out this fine, “It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records.”

The enforcement agreement for this matter doesn’t really give us much of an inkling as to why this incident occurred, but we can make a sound guess that the covered entity didn’t have the infrastructure in place to respond to access requests in a timely manner. 

How to avoid a similar incident 

Responding to access requests in a timely fashion comes down to processes and procedures. You should have a formal structure in place for requests for records and your employees should know their responsibilities within that structure. 

As well as implementing a structure for access requests, you must also ensure you know where your data is. Otherwise, your employees won’t be able to find it! Data discovery tools, combined with automated workflows, can make responding to access requests streamlined, effortless and secure. 

HIPAA Breach #4

Organization: ACM Podiatry 

Cost: $100,000 

How it happened

Like Memorial Hermann Health System, ACPM Podiatry also failed to respond to a HIPAA access request, after a former patient requested records on November 13, 2018, and still hadn’t received them over a year later. 

The patient then filed a complaint with the OCR in 2019. The OCR then asked ACPM to respond to the request by June 29, 2019. The company failed to do this. The practice also failed to respond to a number of other requests from OCR investigators during this period.

Finally, in 2020, the patient received their medical records, but they were incomplete! Plus, the records were sent to the patient 618 days after the initial request. 

How to avoid a similar incident 

First things first, don’t ignore the OCR! Burying your head in the sand is never a good idea, and will only lead to a heftier penalty. Communication is undoubtedly critical.

Beyond that, as above, make sure you have the right procedures and tools in place to enable your team to respond to patient access requests. In this case, the patient needed their medical information for an insurance claim. It took 618 days for ACPM to reply, meaning the victim was unable to make the claim that they needed, which is very unfair. 

HIPAA Breach #5

Organization: Great Expressions Dental Center of Georgia

Cost: $80,000 

How it happened

In November 2019, a patient at this dental firm asked for her medical records. The practice said they would only provide the records if the patient paid a $170 copying fee. Not having any of it, the patient went to the OCR and filed a complaint. 

After an investigation began, the practice finally provided the patient with her medical records a year and a half later in February 2021. OCR concluded that the dental center had failed to provide—you guessed it—timely access to medical records. It also ascertained that its copying fees were unreasonable. 

How to avoid a similar incident 

This incident is a little different to the previous timely access-related cases. It seems that Great Expressions Dental Center of Georgia had access to the patient’s health records. They just didn’t hand the information over. 

To prevent a similar violation in your company, you should review your processes regarding patient access requests from an ethical standpoint: are they fair and reasonable? 

Beyond that, employee education is vital here. Your people should know their duties under HIPAA, and do their best to meet compliance obligations, rather than block patients from receiving the data they are entitled to. 

Adding to that, we want to stress that not all HIPAA training is created equal. One-off training days rarely work. In fact, HBR research shows that traditional training methods are ineffective at triggering long-term behavioral change. By contrast, dynamic training–such as in-app nudges– helps to build a culture of security and privacy in the organization. You can find out more about nudge training here. 

HIPAA Breach #6

Organization: Shields Healthcare Group 

Cost: TBD

How it happened

In early March, a malicious actor infiltrated Shields Healthcare Group’s network server. They went undetected on the network for two weeks until the company’s security team investigated a system alert and realized they’d been breached. 

While Shields isn’t sure how much data was stolen during the incident, it noted in its incident notice that the network segment accessed included PHI and PII, including: full names, Social Security numbers, diagnoses, billing information, insurance numbers, medical record numbers, patient IDs, and other treatment information.

How to avoid a similar incident 

There are two big lessons here. Firstly, Shields Healthcare Group should have implemented robust data prevention, combined with zero trust access, to prevent the hacker from ever accessing such sensitive information. When used in tandem, these tools prevent malicious actors from ever exfiltrating sensitive information, even if they manage to compromise an employee’s credentials.

Secondly, it took the company far too long to respond to the security alert about the incident. We all know that security teams are overburdened by alerts, so we’re not blaming the team. Rather, we think the company should have harnessed the power of automation to alleviate the need for manual intervention. 

HIPAA Breach #7

Organization: Broward Health

Cost: TBD

How it happened

Broward Health suffered a data breach impacting over 1.3 million patients after one of its third-party medical providers was compromised by a hacker. The provider had access to Broward Health’s patient database, meaning the attacker was able to access and steal huge troves of PHI. 

While it’s not certain how the attacker compromised the third-party, it’s been widely speculated that the supplier had failed to implement multi-factor authentication. 

How to avoid a similar incident 

Third-party data breaches are becoming increasingly common. According to the Ponemon Institute, third parties are involved in over half of the data breaches in the US, and these incidents cost, on average, twice more than your average breach. 

To stop something similar happening in your organization, you need to deploy zero-trust principles in your cloud environment, ensuring that only authorized, verified users can access sensitive information. Even then, you’ll need to use security solutions like cloud DLP that ensure users can only interact with PHI in a lawful way. 

HIPAA Breach #8

Organization: Morley Companies

Cost:  $4.3 million class action lawsuit, HIPAA fine TBD 

How it happened

Morley Companies is a provider of business services to organizations across sectors, including quite a few healthcare companies. Last year, the company suffered a ransomware attack, resulting in the data theft of PHI relating to over 500,000 individuals. 

The data stolen included valuable information like Social Security Numbers, client identification numbers, medical diagnostic and treatment information and health insurance information.

You would think that Morley Companies notified those impacted quickly after the incident, but they didn’t. They only informed the public about the incident in February of this year—over six months after the attack took place!

In that time, numerous fraud incidents could have taken place, with victims none the wiser they were at risk. 

While the OCR jury is still out on this one, victims of the breach quickly brought a class-action lawsuit against the company, resulting in a settlement of $4.3 million. 

How to avoid a similar incident 

There’s two strings to this bow. Firstly, if you suffer a security incident, don’t keep your victims in the dark. Notify those impacted as soon as possible. It’s your duty under HIPAA, and the right thing to do. 

Secondly, you need to invest in ransomware protection: phishing training, good security hygiene, incident response and backing up data regularly are all key to reducing the ransomware threat. You can find out more about protecting against ransomware on CISA’s website. 

Looking Ahead 

HIPAA breaches continue to rise year-on-year. PHI is extremely lucrative information for malicious actors, so it’s no wonder this is the case. For covered entities, meeting the requirements of HIPAA is the best way to defend against these attacks. 

On top of this, if you ever do find yourself in a situation where your company has violated HIPAA, honesty is always the best policy. Regulators don’t look kindly on organizations that have tried to dupe them, so always be transparent and always do your utmost to protect patient data.

Polymer is a no-code data loss prevention (DLP) platform that allows companies to monitor, auto-remediate, and apply behavioral techniques to reduce the risk of insider threats, sensitive data misuse, and leakage over third-party SaaS apps. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.