Healthcare and Hackers: Unsecured Data Breaches of PHI on the Rise

It is tragic, but it has become a daily occurrence.  Headlines across the country focus on ransomware, data, and software breaches that strike at the very core of an individual’s information security.  In the past two years alone, there have been over 800 security breaches targeting healthcare providers and health plans reported to the U.S. Department of Health and Human Services (HHS), exposing sensitive protected health information (PHI) data of more than 48 million individuals. Analyzing the breach data reveals a disturbing trend: these attacks are increasing in frequency and severity. In this piece, we will analyze the breaches reported by the HHS Secretary and discuss how Aver, who is HITRUST CSF Certified, protects valuable client information including PHI.

How Breaches Happen

According to the U.S. Department of Health and Human Services, there are three primary types of breaches: hacking/IT incidents, unauthorized access, and theft. Hacking/IT incidents are the most prevalent, composing over 90% of all reported breaches during the time period analyzed. Oftentimes, hacking is made possible due to employees of healthcare providers and/or health plans using the same password for personal and work accounts. Once their personal account is hacked, their work account is exposed as well. Even websites that encrypt passwords remain vulnerable, as encryption can be broken given enough time. Phishing, also known as social engineering, is another common cause of data breaches. Phishers trick those with legitimate access to sensitive data into sharing that access, thereby exposing the data. Malware and application vulnerabilities also contribute to the number of observed breaches.

Security Breaches Target Populous States

Number of Security Breaches Reported                                         Number of Individuals Affected

Mapping the data onto a model of the continental United States reveals the number of breaches and the number of individuals affected in those breaches is generally highest in larger, more populous states. Texas, California, New York, and Florida are most heavily impacted by these cybersecurity attacks.  Almost one in three security breaches stem from these specific states. Florida residents have had the most exposure, with over 11 million individuals’ PHI involved in a security breach during the time period reviewed. This analysis highlights the importance of protecting health plans and healthcare providers with customers in those states.

Security Breaches are Increasing in Frequency & Severity

Once charted, one can easily see the dramatic increase in the volume of data breaches over time, increasing sixfold from June 2019 to June 2021. The number of individuals targeted with each data breach is increasing as well. Healthcare plans and providers are going to be increasingly at risk of security breaches, and therefore strong data protection principles are essential moving forward.

Healthcare Providers are the Most Vulnerable

Categorizing incidents and individuals affected by entity type reveals that healthcare providers experienced the most frequent and severe data breaches with 625 security incidents reported (77% of all cases) impacting over 23 million patients.  Healthcare data is extremely valuable because it often contains multiple types of personal information, as opposed to a single piece of information that may be found for example in financial or other types of data breaches.  As such, it is imperative that all parties involved with healthcare data, especially healthcare providers, protect and ensure steps are taken to safeguard this data. 

How Aver Protects its Clients

Protected Health Information is extremely valuable and sensitive, which is why so many data thieves target healthcare providers and plans. Now more than ever it is important to trust the companies with whom you have a business relationship. Aver has a proven track record of protecting its clients and their 31+ million members. Steve Vandenburg, Aver’s Director of Information Security, describes Aver’s experience and background with data security:

Aver has in place a robust, resilient, and responsive security program. Aver achieved its first HITRUST certification in 2018, and has successfully achieved recertification in all subsequent assessments. This achievement places Aver in an elite group of companies. Aver’s HITRUST CSF Certification is evidence that they are at the forefront of industry best practices for information risk management, security, and compliance.”

Data breaches are incredibly damaging for the businesses that suffer them and the individuals represented by those entities. Since 2010, Aver has successfully protected the data of over 31 million members from all attempts to steal them. As Aver expands its presence in the value-based care industry, it will continue to place the utmost importance on data protection and security technology. The ever-growing threat posed by data thieves demands it.

References

U.S. Department of Health and Human Services Office for Civil Rights

Ransomware attack on revenue cycle vendor exposes 1.2 million patients, employees

Hackers, healthcare data breaches, and why PHI is valuable to criminals