The number of successful cyber attacks spiked in March, with 11 incidents reported to the Office for Civil Rights, although since HIPAA-covered entities have up to 60 days from the discovery of a data breach until a breach notification must be submitted, that figure may yet rise. In February, there were 4 reported hacking incidents involving HIPAA-covered data, and just 2 reported in January.
Last month, 11-milliion health plan records were exposed in the huge data breach at Premera Blue Cross; an incident potentially much more serious than the Anthem breach the month before due to the extent of data acquired by thieves. The Premera hack allo9wed the perpetrators to copy Social Security numbers, personal identifiers and healthcare data.
There were also a number of other large scale breaches reported to the OCR in March. The Virginia Department of Medical Assistance Services (VA-DMAS) reported a network server hacking incident in which 697,586 plan member records were exposed and 151,626 records were compromised at Advantage Consolidated. Over 90,000 records were exposed in separate attacks on AT&T Group Health Plan and the Freelancers Insurance Company and Indiana State Medical Association reported a hacking incident which resulted in the exposure of 38,351 records.
The total breaches are also up 35% in March, with 17 incidents reported in both January and February, compared to 23 data breaches so far reported to the OCR for March. In total, 91,015,368 Protected Health Records have been exposed in breaches so far this year.
Health Insurance Plans A Target for Hackers
The two multimillion record hacks reported this year both affected health plans, and last month the McDermott medical plan, Freelancers Insurance Company, AT&T Group Health Plan, Career Education Corporation and VA-DMAS all registered hacking incidents, while hackers also gained access to over 900,000 records in two separate network server incidents at the Georgia Department of Community Health in which 355,127 and 557,779 records were exposed.
Hackers are now using much more sophisticated methods to gain access to healthcare databases and the PHI they contain. It is now more important than ever to improve data security measures and implement even more robust security systems that those demanded by HIPAA and to give serious consideration to implementing data encryption technologies for data both at rest and in motion.
While preventative measures are essential, it is also important to monitor access to PHI to ensure that if hackers manage to break through defenses, rapid action can be taken to limit the damage they cause.