April was a terrible month as the healthcare sector suffered from an increased number of data breaches and the persons impacted compared to March. The Department of Health and Human Services acquired 41 submissions of healthcare data breaches which led to 894,874 healthcare records compromised or stolen.
Healthcare data breaches had gone up month over month in the past four months. The number one source of data breaches in April was unsanctioned access or disclosure. Despite the fact that there was evident development in cybersecurity defenses, insiders still contribute to inadvertent data breaches and healthcare personnel still get involved with malicious actions.
The security occurrence at the California Department of Developmental Services is the reason for over half of the exposed healthcare records in April. It was said that intruders stole electronic gadgets from the California Department of Developmental Services office and set the place burning after the break in. The majority of the PHI possibly disclosed was in physical form nevertheless it would appear that the thief did not take any of it. The ePHI stored in the stolen gadget was encrypted and thus was not exposed.
Hacking typically brings about the biggest number of stolen/exposed healthcare data records. Yet in April, unauthorized disclosure incidents resulted in the highest number of breached information. 11 major breaches came about that had above 10,000 records disclosed. There were likewise phishing attacks that contributed to data breaches. Nine breaches were a result of hacking of email accounts. Healthcare organizations should strengthen their systems to stop the malicious emails from getting into the employees’ inboxes.
Healthcare organizations reported majority of the breaches in April. Business associates reported five incidents, although they were linked to at least 11 other breach incidents. The state of Illinois submitted 6 breach reports followed by California with 5 breaches. Texas had 3 breaches while Florida, Kansas, Iowa, Louisiana, Minnesota, Maryland, North Carolina, New Jersey, Wisconsin and Virginia each had 2 breaches. States that reported one breach each were Georgia, Montana, Kentucky, New York, Nebraska, Pennsylvania and Tennessee.
With regards to financial penalties for HIPAA violations, the HHS’ Office for Civil Rights has now issued two this year. New Jersey attorney general’s office resolved a state and HIPAA violation case in April against Virtua Medical Group, who opted for pay $417,816. This violation case involved the compromise of information which included names, doctor’s prescription and diagnoses details of 1,654 residents in New Jersey on the web as a result of misconfigured server. Virtua Medical Group was alleged to have failed to perform a risk analysis and carry out the needed security options, which brought about the data breach.