What Happens When You’re Chosen?
According to the Office for Civil Rights (OCR) “Wall of Shame,” 889 cases of breaches to our Personal Health Information (PHI) were under investigation as of August 13, 2024, a list no organization wants to be on. Alarmingly, some providers have multiple incidents under scrutiny, underscoring the severity of the issue.
Being listed can have dire consequences. The most immediate risk is insurance loss, including the vital protection it offers the board of governors. Without adequate coverage, attracting quality advisors becomes difficult, and without a strong board, investors may shy away. This can severely limit the organization’s ability to grow and, in the worst cases, threaten the organization’s survival.
Take the example of the American Medical Collection Agency (AMCA). In 2021, they filed for bankruptcy, just two years after being listed on the Wall of Shame. Their case involved investigations by multiple state attorneys general, who made it clear that AMCA's failure to comply with directives could lead to enforcement of a $21 million fine—bankruptcy notwithstanding.
Or consider Anthem, which in 2018 faced litigation and ultimately settled for $115 million after failing to implement adequate security controls. In addition, they paid $16 million to the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights.
These cases create lasting damage, leading to a loss of public trust and potential partnerships. Investors and customers may view the organization as poorly managed, with funds not going toward vital improvements like new equipment, staff training, or dividends. If only these companies had been more diligent, imagine where they could be today.
Being on the Wall of Shame can hurt whether you’re a large or small organization. If it happens to a business associate, the primary covered entity is on the hook, regardless. AMCA didn’t even collect data; it exposed its partners’ data, making them vulnerable under HIPAA regulations. Companies like Quest Diagnostics, LabCorp, and BioReference Labs were all exposed to risk because they did business with AMCA. This led to losing control over sensitive patient information, including payment data, medical tests, and Social Security numbers.
Why Is Medical Data a Target?
Protected Health Information (PHI) is a prime target because it’s easier to hack, especially when attackers focus on business associates like AMCA. These entities often lack the robust security infrastructures of larger organizations, making them an easier target.
According to the U.S. Department of Health and Human Services, organizations classified as business associates are 13% more likely to experience a breach than those not. Breach reports have increased by 227% since 2021, and there are no signs of slowing down.
But the real treasure is in the PHI data itself. On the black market, a healthcare data record can fetch up to $250, compared to just $5.40 for a payment card record. That makes the AMCA breach potentially worth $6 billion—not a bad haul for a hacker who figured out how to access the payment portal.
AMCA is just one of at least 33,500 business associates in the healthcare sector. To put things in perspective, consider the National Association of Free Clinics (NAFC), which operates over 1,400 free clinics in the U.S. These clinics, often surviving on shoestring budgets, have patient data but lack the funds to protect it adequately. Their resources are limited, and security usually takes a back seat to more immediate needs—every player in the healthcare market matters, small or large. Breaches have grown by 900% from last year, and every player in the healthcare infrastructure is a potential target.
Beyond NAFC, there are 9,000 urgent care centers and over 17,000 primary care locations staffed by 55,000 clinicians. Internet health services like eHealth are expanding rapidly, and each new service increases the potential for breaches.
What Can Be Done?
Is this doom and gloom? Not for those who prepare. None of the practitioners covered by HIPAA need a massive budget, but they must know what steps to take. The key is to be smart, start small, and take consistent action. Six steps will cover most issues to avoid publication on the OCR Wall of Shame.
1. Conduct Regular Risk Assessments
Assess the organization’s security risks regularly to identify potential vulnerabilities. This should include evaluating network infrastructure, data storage practices, and access controls. The goal is proactively identifying and addressing weaknesses before they can be exploited.
2. Implement Strong Security Controls
Implement strong security measures based on the findings from the risk assessments. This includes data encryption at rest and in transit, multi-factor authentication for accessing sensitive information, and regular software updates and patches to close security gaps.
3. Train Staff on Cybersecurity
Human error is a common cause of data breaches. Ensure all employees, from the front desk to the boardroom, receive regular training on cybersecurity best practices. This should cover phishing scams, password management, and how to handle sensitive information securely.
4. Monitor and Audit Access to PHI
Implement continuous monitoring and regular audits of who accesses Protected Health Information (PHI). Automated tools can help track and log access to sensitive data, and any suspicious activity should be investigated immediately.
5. Develop and Test an Incident Response Plan
Having a robust incident response plan in place is critical. This plan should outline the steps your organization will take in the event of a data breach, including how to contain the breach, notify affected parties, and cooperate with regulatory investigations. Regularly test this plan with simulated scenarios to ensure everyone knows their role.
6. Work Closely with Business Associates
- Ensure that all business associates with access to PHI comply with HIPAA regulations. This includes conducting due diligence before entering into agreements and reviewing their security practices regularly. Business associates should be contractually obligated to maintain the same level of security as the organization.
By following these steps, healthcare organizations can significantly reduce their risk of a data breach and avoid the costly and reputation-damaging consequences of appearing on the Wall of Shame.