HIPAA data breaches in first half of 2015 (January-June)

An in-depth analysis 06 Oct 2015

www.kaysharbor.com

Purpose of HIPAA

To make it easier for people to keep health insurance.

Why HIPAA?

Purpose of HIPAA: Department of Health, Tennessee

To protect the confidentiality & security of healthcare information.

To help the healthcare industry control administrative costs.

139 94mn

1 in 2 2 in 3

Just 5 reported

incidents

of HIPAA

data

breaches.

individuals

affected

due to

these

breaches.

incidents

covered 98%

of total

individuals

affected.

breach

incidents

reported by

Healthcare

providers.

incidents due

to hacking/IT

incident or

theft.

A quick snapshot of HIPAA data breaches during the first half of 2015 (Jan-Jun)

Overview of data breaches

Source: US department of Health and Human Services Office for Civil Rights

25% (34)

71% (99)

4% (5)

Healthcare provider

Health plan

Business associate

Maximum HIPAA data breaches occurred at Healthcare Providers’ end

Total HIPAA breaches= 139

HIPAA data breaches by business type

Source: US department of Health and Human Services Office for Civil Rights

California Texas New York

Florida Illinois

20 16 12

11 10

HIPAA breaches in following 5 states alone amounted to 50% of all breach incidents

incidents incidents incidents

incidents incidents

Top 5 states by number of incidents

Source: US department of Health and Human Services Office for Civil Rights

HIPAA data breaches affecting 99% of all individuals originated from following 5 states

Indiana Washington Maryland

Georgia Virginia

78.8 11.0 1.1

0.9 0.7

million million million

million million

Top 5 states by population affected

Source: US department of Health and Human Services Office for Civil Rights

People affected

78.8 mn

11.0 mn

1.1 mn

0.7 mn

0.6 mn

State located

Indiana

Washington

Maryland

Virginia

Georgia

Breach reason

Hacking / IT

Hacking / IT

Hacking / IT

Hacking / IT

Hacking / IT

Breach location

Network server

Network server

Network server

Network server

Network server

Top 5 HIPAA breaches affected 92 mn people, all resulting due to hacking/ IT on network server

Top 5 incidents (by population affected)

Source: US department of Health and Human Services Office for Civil Rights

85% of HIPAA data breaches occurred due to unauthorized access, theft and hacking/IT incidents.

32%

30%

26%

8%

4%

Total incidents

139

Unauthorized access/disclosures

Theft

Hacking/IT incidents

Loss

Improper disposal

Reasons of HIPAA data breaches

Source: US department of Health and Human Services Office for Civil Rights

29%

20% 11%

40%

Unauthorized access of data from paper/films/ emails & EMR contributed to 60% of such incidents

Unauthorized access/disclosures (total incidents: 45)

32%

30%

26%

8%

4%

Total incidents

139 Paper/films

Email

EMR

Others

Reasons 1: Unauthorized access / disclosures

Source: US department of Health and Human Services Office for Civil Rights

29%

10%

7% 2%

52%

Laptop, desktop and electronic devices led to ~50% of data breaches due to theft

Laptop

Desktop

Others

Other portable Electronic device EMR

Theft (Total incidents: 41)

32%

30%

26%

8%

4%

Total incidents

139

Reasons 2: Theft

Source: US department of Health and Human Services Office for Civil Rights

64%

19%

6%

11%

~65% of hacking/IT incidents happened at Network Server end

Network server

Desktop

Email

Others

Hacking/IT incident (Total incidents: 36)

32%

30%

26%

8%

4%

Total incidents

139

Reasons 3: Hacking IT incidents

Source: US department of Health and Human Services Office for Civil Rights

83%

17%

Loss of paper/films contributed to 83% of all data breaches resulting due to loss

Loss (Total incidents: 12)

Paper/films

Laptop

32%

30%

26%

8%

4%

Total incidents

139

Reasons 4: Loss

Source: US department of Health and Human Services Office for Civil Rights

HIPAA has no safe harbor option, so make sure your underlying technology is compliant

If your software is designed to manage, collect or transmit PHI in any form, then it has to be HIPAA compliant.

Make sure user data is protected at all levels of communication, be it internal or external.

Implement different security measures across multiple access levels of electronic data.

Built a functionality to wipe off electronic data remotely from mobile devices, in case of loss or theft.

Ensure usage of HIPAA compliant network and email servers.

Are you planning to develop a custom healthcare software solution?

Let’s partner http://kaysharbor.com/request-for-free-consultation/

• HIPAA data breaches in 1st half of 2015 : An infographic http://kaysharbor.com/blog/healthcare/hipaa-data-breaches-in-first-half-of-2015/

• Is your healthcare mobile app HIPAA compliant: http://kaysharbor.com/blog/healthcare/hipaa-compliance-for-your-mobile-app-can-be-a-tricky-path-dont-go-alone/

• Why mobility is no more an option for healthcare providers and hospitals http://kaysharbor.com/blog/healthcare/planning-to-take-your-hospital-on-mobile-the-right-time-is-now-2/

Further readings