For Healthcare Data Security, 2018 Was a Bad Year


Did your organization’s healthcare data security protections hold during 2018?

Most employees have no idea how to answer that question. Unless they work in IT or handle financial transactions, data security might not be a top priority – or at least, it might not seem like a top priority. One breach is all it takes to realize how wrong that thinking is.

Any company that handles healthcare information is obligated to safeguard it, even if the company’s only healthcare records are related to employee insurance. Hospitals and other health-care providers aren’t the only entities that are affected by accidental and malicious breaches. 

2018 Healthcare Data Security: By the Numbers

Last year was a big year in terms of healthcare breaches, and that’s a big problem for American patients. A number of massive breaches occurred just during 2018 alone. (Security data is available because entities that are required to comply with HIPAA laws are also required to inform the Department of Health and Human Services’ Office for Civil Rights, or OCR, when breaches occur.)

In 2018, HIPAA Journal reports that there were:

  • 18 breaches involving more than 100,000 records
  • 8 breaches involving more than 500,000 records
  • 3 breaches involving more than 1 million records

The largest breach happened at AccuDoc Solutions, Inc., a medical billing company located in South Carolina. More than 2.6 million records were exposed and viewable by outsiders during a week-long period in September, making it the largest breach reported since September 2016.

Healthcare data security reporting requirements vary based on whether a breach affects fewer than or more than 500 people. By the end of December 2018, the OCR had been notified of 351 breaches that involved 500 people or more. In total, the healthcare records of 13,020,821 people were exposed in the United States during 2018.

Self-funded employers should take note of one other relevant fact: three of the top six breaches in 2018 were reported by health plans.

Security Breach Trends in 2018

According to HIPAA Journal, the total number of healthcare data security breaches was slightly lower in 2018 than it was in 2017, but far more people’s records were exposed in last year’s breaches than were the year before. In 2017, the most significant event involved the records of just under 700,000 people. A total of 5,579,438 records were exposed in 2017, so 2018’s total of around 13 million represents a dramatic increase.

As in 2017, most of 2018’s major breaches (12 out of 18) were classified by the OCR as hacking/IT incidents. The other six were ruled as having been caused by unauthorized access/disclosure, theft and improper disposal of records.

Employee error and/or poor security practices contributed to several of the breaches. The second-largest incident occurred when multiple employees at UnityPoint Health opened phishing emails and unintentionally gave hackers access to the company’s internal records. That small action ultimately led to the exposure of more than 1.4 million individual’s healthcare records. Several other 2018 incidents also involved successful phishing attacks.

The bottom line? The human error element plays a role in many massive healthcare data security breaches – something any employer that keeps healthcare records must keep in mind.

The good news is, there are steps you can take to ensure your information is safe. If you have questions about keeping your healthcare data secure, contact Stop Loss Insurance Brokers, Inc. today.