In separate incidents, primary care providers based in Pennsylvania and anesthesia providers across the country have experienced major healthcare data breaches recently. Combined, the two incidents have affected over 615,237 individuals so far.
Primary Care in Pennsylvania
Keystone Health, a Pennsylvania-based team of primary care providers, disclosed a healthcare data breach that potentially impacted the protected health information (PHI) of 235,237 individuals. Keystone filed the breach with the Office for Civil Rights (OCR) breach reporting tool on October 14, 2022.
Keystone discovered the security incident on August 19 and later determined that an unauthorized party had accessed files within its system between July 28 and August 19. The files contained patient names, clinical information, and Social Security numbers. Keystone began mailing letters to impacted individuals and offered credit monitoring services to those who were eligible. This cyber attack was directed at the health care provider, not a third party vendor, like the second large breach noted below.
In its public announcement Keystone noted that it is “implementing new network security measures and providing additional training to our employees” to help prevent something like this from happening again.
Anesthesiology Practices Nationwide
Thirteen anesthesiology practices located primarily in NY, CA, TX and MD have been affected by a cybersecurity attack on a management company that provides services to multiple providers of anesthesia services to hospitals. As a business associate, the management company stores PHI of its customers’ patients.
The following anesthesiology practices have recently reported breaches to OCR.
- Anesthesia Associates of El Paso: 43,168 individuals impacted
- Upstate Anesthesia Services PC: 9,065 individuals impacted
- Resource Anesthesiology Associates PC: 37,697 individuals impacted
- Resource Anesthesiology Associates of IL PC: 18,321 individuals impacted
- Resource Anesthesiology Associates of CA: 16,001 individuals impacted
- Providence WA Anesthesia Services: 98,643 individuals impacted
- Palm Springs Anesthesia Services: 58,513 individuals impacted
- Lynbrook Anesthesia Services: 3,800 individuals impacted
- Hazleton Anesthesia Services: 13,607 individuals impacted
- Fredericksburg Anesthesia Services: 7,069 individuals impacted
- Bronx Anesthesia Services: 17,802 individuals impacted
- Anesthesia Services of San Joaquin: 44,015 individuals impacted
- Anesthesia Associates of Maryland: 12,403 individuals impacted
Other than these reports, information to date is scarce. One provider in El Paso, TX published a media notice on September 21, 2022. According to that notice unauthorized individuals gained access to the IT systems used by the management company and potentially viewed or obtained sensitive patient information, including patient names, addresses, health insurance policy numbers, payment information, Social Security numbers, and diagnosis and treatment information.
As more is learned, we’ll update this post.
HIPAA Risk Management is Central to Cyber Defense
These breaches are not inevitable. More can be done to safeguard patient information and prevent the theft of PHI.
OCR will investigate the organizations where the breaches occurred and will learn more about what happened and why. Even though the number of cyber attacks is growing, attackers don’t always succeed. They succeed where organizations are vulnerable. If cyber defenses are weak, for example, if the workforce hasn’t been trained to fight phishing, if malware and anti-virus software is out of date, or if access controls are weak, an organization is at much greater risk. Use the Security Rule Checklist, conduct an annual Risk Analysis and do due diligence with business associates to make sure they follow HIPAA.