Latest HHS Breach Data Elevates the Need for a Comprehensive Privacy Protection Strategy
by Michelle Del Guercio on April 27, 2023
HHS recently reported to Congress on healthcare’s 2021 patient data breach information for both large and small incidents (affecting more than 500 patient records vs. fewer than 500). Combined, the number of breaches remained high at more than 38 million affected individuals in 2021, making it the second largest annual increase since 2015, while associated monetary penalties remained the same at $13 million dollars in the last twelve-month period.
The data from this report was combined with data previously aggregated from a Freedom of Information Act request submitted by Protenus to understand the overall trends that occurred during the onset of the Pandemic. The combined dataset shows unauthorized access to patient records, mostly in the provider setting, remained consistent with prior year values, accounting for 93 percent of all breaches in 2021. It should also be noted that although unauthorized access remained unchanged, there was a dramatic 12% increase in number of individuals affected, totaling 66%, compared to the prior year . While external threats like hacking impacted the highest volume of patients, health systems have been inundated with investigations of unauthorized access that stem from their own insiders, comprising 93% of those reported.
Check out the 2023 Breach Barometer(r) for a deep dive into the impact data breaches are having on healthcare.
HHS routinely shares publicly available data only for breaches that affect more than 500 patients. This view is helpful to understand the most significant threats to patients, however, it does not provide a complete picture of the impact on healthcare and the overall patient population. Healthcare organizations are responsible for protecting patient privacy from any and all sized breaches. It’s key to understand the entire threat spectrum from the small number of high-impact events caused by incidents like hacking to the vast number of lower-impact but alarmingly frequent incidents most commonly attributed to insider unauthorized access.
Only when a healthcare organization can fully understand their overall risk of a breach - be it one, one hundred or tens of thousands of patient records- can they more effectively allocate resources, and deploy technology and processes to aid in the auditing, monitoring and protection of every patient’s record.
Here, we’ll examine the combined HHS breach data with the goal of providing insight and recommendations for mitigating risk most effectively.
For the decade HHS has collected this data, more than 3 million individuals were affected by 596,080 reported smaller breaches. No fewer than 60,000 breaches were reported in each of the last five years of data. More than 310 million patients have been affected overall, from combined large and small breaches.
The impact of breaches remains significant and has increased rapidly in recent years. From 2017 to 2018, the number of patients affected by breaches increased 107 percent to 12.5 million. The number of patients affected grew another 212 percent from 2018 to 2019, and has remained steady at around 38 million individuals in each of the last three years.
As mentioned above, when looking at the combined data, unauthorized access was the largest cause of breaches at 93 percent, virtually unchanged from 2020. Hacking rose slightly, from 1.65% in 2020 to 2.03% in 2021 in reported breaches combined data.
Breaches continue to be a problem for Health Care Providers as the reported setting for 91 percent of all combined breaches in 2021, up 1% from prior year. The data also shows how many individuals were affected in each setting, and there’s been a huge jump for Health Care Providers. Between 2011 and 2018, the figures averaged 5 million individuals affected and never passed 10 million. In 2019 and 2020, the number spiked to 20 million individuals affected by breaches stemming from Health Care Providers. In 2021 the number further increased by 120%, hitting an all time high of more than 24 million in 2021.
Privacy and data breaches are nothing new in healthcare and will continue to be a problem for the foreseeable future, and it’s impossible for healthcare organizations’ compliance teams to monitor 100% of the millions of system accesses each day with human resources alone. Technology, combined with human intelligence, can help ensure the best risk reduction methods to protect patient privacy.
The smaller number of high-impact breaches often gets the lion’s share of attention and resources, but healthcare organizations must understand the risks from the exceedingly large number of lower-impact events that can eventually lead to a huge risk. A proactive approach considers the full threat spectrum for the best chance at preventing future breaches and instituting a culture of compliance in the organization.
Protecting PHI and adhering to regulatory compliance are commonplace in healthcare organizations. But not all access violations are regulatory in nature. All too often, hospital organizations fail to look at the bigger picture impacting unauthorized access to PHI in the form of workforce policy violations, that may still put an organization and its patients at risk, even if not regulatory (or high volume) in nature.
Organizations that are looking to expand their reach into the community by connecting more hospitals or physician providers and growing their patient or member base are at a greater risk to insider threats. Current privacy programs, which often rely on manual review and audits, cannot keep up with the added volume or velocity of threats - putting future business growth and patients at risk.
As part of a comprehensive privacy protection plan which includes audit controls and authentication, workflow automation greatly reduces financial, reputational, and clinical risk to organizations and most importantly, the patients they serve.
Hospitals and large physician groups that have implemented AI-technology solutions that support and augment their regulatory compliance programs experience greater opportunity to educate workforce on privacy policies, reposition themselves from reactive to proactive in violation occurrences, and support the reputation of a high reliability organization.
If you’d like to learn best practices on how to greatly mitigate your risk by transitioning to a proactive, preventive privacy strategy, reach out to our team for more information today. You can make a difference in supporting your organization’s strategic goals that support patient safety, fiscal responsibility, and community reputation.
For insight into how complete, proactive monitoring delivered immediate ROI at a large integrated delivery network, download the case study.