August 8, 2020

Volume X, Number 221

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

Health Care Data Breaches Are Increasing Both in Number and Cost

It feels like we’ve been seeing a lot more health care breaches caused by hackers and other IT security incidents recently, and there’s a good reason why: a recent report by cloud security company Bitglass confirms that both the number of breaches and individuals affected by breaches caused by hackers and IT incidents grew significantly last year.  Bitglass analyzed data from the HIPAA breach notification portal, also known as the “Wall of Shame,” published by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  Pursuant to the HITECH Act, HHS is required to post a list of all reported breaches that affect 500 or more individuals. OCR classifies the types of breaches reported on the Wall of Shame, and the "Hacking/IT Incident" category includes a variety of breaches, including malicious intrusion, malware, ransomware, phishing, and general IT security failures.

We’ve blogged many times recently about data breaches caused by hackers and other IT security incidents. (For example, see here and here.)  Bitglass’s report found that, between 2018 and 2019, there was a 33% increase in the total number of breaches (290 vs. 386) and a 46% increase in the number of breaches caused by hacking or IT incidents (234 vs. 133). According to the report, hacking or IT incidents are currently the largest cause of breaches among health care organizations and accounted for over 60% of the total number of breaches and 86% of affected individuals last year.  To add insult to injury, the cost per breach also increased significantly between 2018 and 2019, from $408 to $429 per affected individual. Therefore, more people are being impacted by hacking and IT incidents than other types of breaches, and responding to breaches are becoming costlier than ever before.

Unfortunately, these numbers are not surprising given last year's large-scale breaches caused by hackers at various types of health care organizations, such as electronic medical records company Medical Informatics (affecting about 3.5 million people) and billing firm American Medical Collection Agency (affecting about 20 million people).  As we previously discussed in the HIPAA year-in-review post, OCR enforcement has been, and will continue to be, increasingly aggressive. Multi-million-dollar fines are now the norm, which add to the increasing cost of handling large-scale breaches. Echoing Bitglass’s findings, the FBI warned health care organizations in October that ransomware attacks have become more targeted, sophisticated, and costly, with health care organizations remaining a high value target. Health care providers must remain vigilant in training workforce members and implementing adequate security safeguards to minimize the risk of hacking and other types of breaches.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume X, Number 51


About this Author

Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney

Sarah Beth’s practice involves a variety of regulatory, transactional, and enforcement defense matters for clinical laboratories, hospitals, pharmacies, insurers, and other health care clients.

Sarah Beth routinely advises clients on a wide variety of federal and state health care regulatory issues, including anti-kickback and self-referral laws, licensure and scope of practice rules, telemedicine, certificate of need applications, food and drug law, and HIPAA compliance. She also handles licensure and regulatory filings for clinical laboratories and other health care providers....