Cybersecurity incidents don’t just happen to big organizations. Cyber thieves go after organizations of all sizes and types. What is worse, we know that hackers are targeting healthcare since medical identity information is so valuable. And some small to medium sized providers are especially vulnerable if their defenses are not strong or up-to-date due to budget constraints.
Recently, Community Medical Centers (CMC), a network of nonprofit neighborhood health centers in Northern California, experienced a cyber incident that may have compromised the protected health information (PHI) of more than 656,000 individuals. It’s a shame to see a nonprofit clinic have to deal with these kinds of threats, when they’re already straining to provide care to underserved populations during a pandemic.
CMC reported the potential breach last week to the Maine Attorney General, but as of today, it has not appeared on the U.S. Department of Health and Human Services’ breach reporting portal listing health data breaches affecting 500 or more individuals.
This incident at CMC, however, would rank as the 12th-largest health data breach posted to the HHS portal so far this year. Before now, the largest health data breach involving ransomware appearing on the portal was reported on July 8 by Wisconsin-based Forefront Dermatology S.C. as affecting more than 2.4 million individuals.
OCR Investigates All Large Breaches
Although the CMC incident doesn’t yet appear on the HHS portal, it will soon, and CMC will be investigated since the Office for Civil Rights (OCR) at HHS investigates all breaches affecting 500 or more. OCR doesn’t let nonprofits or small organizations off the hook. HIPAA is enforced across the board.
OCR investigators will scrutinize CMC’s adherence to HIPAA, whether they have conducted a HIPAA Risk Analysis, and if so, how regularly. They’ll be required to show documentation of Risk Analysis and the Risk Management plan they follow. They will be asked for their policies, procedures and forms, and evidence of workforce training.
Even if an organization follows HIPAA, not every breach can be prevented and not every loss, theft or misstep is avoidable. OCR investigators understand this. If CMC follows HIPAA and can document strong HIPAA Risk Management procedures, but the cyber incident happened in spite of their efforts, the investigation may proceed smoothly with no or small civil fines. CMC still has its own cybersecurity investigation, legal fees, notice to its patients and reporting to the media to deal with. Breaches are costly, beyond the immediate effects.
Managing an Investigation
An investigation does not have to be long, drawn out and painful. However, it will require CMC’s time and resources, both of which are likely in short supply. If CMC cooperates, accepts OCR’s technical support and advice and implements suggestions offered, they will likely be better off in the end for less cost.
Prevention is Less Costly than Breach
It remains to be seen whether CMC had the appropriate policies, procedures and safeguards in place to reduce cyber risks and preserve the security and privacy of their patients’ PHI.
Too many breaches are happening though, because basic cybersecurity defenses are not in place, staff is not trained and systems are either out of date or not backed up. HIPAA Risk Analysis – Risk Management addresses all of these steps and can greatly reduce the risk of the nightmare scenario.