The list of breaches on the Office for Civil Rights (OCR) “wall of shame” provides insights into who is being targeted by cyber criminals. Another way to look at it is that the list shows where the cyber attacks are succeeding. No matter how you look at it, business associates and smaller to medium-size specialty providers are being hit hard.
Larger health systems are not getting a free pass however – they are still targeted, especially free standing and outpatient facilities. Many of the larger systems have better resources and more staff trained to defend against cyber crime so they can do more to prevent the security intrusions from succeeding.
Business Associates at Risk
Business associates in healthcare have been separately liable and responsible for HIPAA compliance since 2013 when the final rule was published outlining their responsibilities under the 2009 HITECH Act. Although nine years seems like enough time to become accustomed to the requirements of HIPAA, we continue to be surprised today how many business associates are not doing enough. Either they don’t know about the HIPAA requirements, or if they know, compliance is not a priority.
During the seven weeks between December 1, 2021 and January 21, 2022, 18% of the breaches reported to OCR (fifteen of the eighty-two) occurred at business associates, affecting nearly 340,000 individuals in total. All were described as hacking/IT incidents.
As we’ve noted before, when a breach happens at a business associate, the damages can mushroom fast because, as a third party vendor in healthcare, they hold protected health information (PHI) for thousands (even millions) of individuals. Examples include American Medical Collections Agency (2018) and Blackbaud (2019) and more recently, CaptureRx and Ciox Health (both in 2021).
Among the eighteen healthcare data breaches at business associates reported in the last eight weeks, some that stand out include:
- Bansley & Kiener, LLP, a CPA firm in Chicago experienced a cybersecurity incident affecting almost 71,000 individuals.
- The Medical Review Institute of America (MRIA) in Utah provides clinical peer reviews on behalf of some of its health plan, health care provider and other customers. MRIA experienced a cybersecurity incident affecting 134,571 individuals.
- TTEC Healthcare, Englewood, Colorado, provides customer experience support (billing and payment info, claims processing, benefits inquiries) to covered entities. TTEC experienced a cybersecurity incident affecting 86,305 individuals.
- Hoya Optical Labs of America in Lewisville, Texas provides ophthalmic lenses & eyeglasses to retail store customers nationwide. Hoya experienced a cybersecurity incident affecting 14,099 individuals.
This is a diverse group, providing essential services to health care providers and health plans, and their patients, across the country.
Cybersecurity Incidents at Covered Entities
While the largest health systems still face daunting risks of healthcare data breaches, the headlines are often filled with less than obvious examples. Specialty providers, outpatient facilities, government organizations and nonprofits are commonly in the news for suffering healthcare data breaches. It’s a diverse group, large and small, local, regional and national in scope.
Examples of some of the larger breaches among these include a series of incidents at specialty retail eye care facilities, nonprofit clinics in California, and a Utah radiology practice. Fertility clinics are susceptible time and again. And specialty pharmacies.
Most recently, Broward County Health in Miami experienced a massive breach affecting over 1.3 million individuals. (We note that Broward County’s public notice about the security incident revealed that the intrusion may have come through the office of a business associate – it was nonetheless it was reported to OCR as a “healthcare provider” breach.)
Among the fifty-four healthcare data breaches at health care providers reported in the last eight weeks, some that stand out include:
- Fertility Centers of Illinois which provides fertility services and counseling experienced a cybersecurity incident affecting 79,943 individuals.
- Ravkoo Pharmacy, a specialty mail order pharmacy of Florida experienced a cybersecurity incident affecting 105,000 individuals
- A New Leaf, Inc., an Arizona nonprofit behavioral health organization providing support to those with developmental disabilities experienced a cybersecurity incident affecting 10,438 individuals
- Suncoast Skin Solutions of Florida, a dermatology practice, experienced a cybersecurity incident affecting 57,730 individuals
- Southern Orthopaedic Associates of Kentucky, provides orthopedic services to residents of western Kentucky and southern Illinois and experienced a cybersecurity incident affecting 106,910 individuals.
Another thirteen data breach reports on the OCR portal from the same period came from health plans, also considered covered entities.
HIPAA Risk Analysis is Essential
The organizations listed above were selected as representative examples from the OCR breach portal. None of them are unusual or unique. All types of organizations are susceptible to cybersecurity incidents and other types of healthcare data breaches and should be complying with HIPAA to do their best to prevent breaches.
The number one priority for all covered entities and business associates is a complete HIPAA Risk Analysis. As part of that, covered entities should reach out to their business associates, and in turn, BAs should reach out to their subcontractor business associates. Do your due diligence, make sure they have current HIPAA policies in place and are doing a Risk Analysis at least once a year, and conducting Risk Management year round.
Stay off the OCR “wall of shame” and avoid a lengthy and costly OCR investigation, EHR downtime and loss of reputation by getting your HIPAA house in order today.