- About PS&F
- Industry Focus
- Client Tools
- Education & Events
December 17, 2020
As technology advances, patients are becoming increasingly active partner 2020 has been a remarkable year full of challenges never before faced, testing our persistence and endurance to carry onward. It has also been a year full of cybercrime, with nearly 1 million health records breached in November, targeting healthcare organizations and testing their internal network security. Not only can these cybercrimes be a huge disruptor and financial liability, but Office for Civil Rights (OCR) fines, settlements, and legal fees can be devastating as well. Here is a look back on some of the biggest trends in data breaches and settlements of 2020 and the hard lessons learned.
The non-profit software company faced a ransomware attack in February on its self-hosted environment that compromised the data of more than 10 million individuals, with almost a million of those victims from healthcare entities. Although a ransom demand was paid and data was returned, it’s unclear whether those cybercriminals actually destroyed the data or still maintain a copy today. The breach was allegedly caused by Blackbaud’s failure to implement adequate cybersecurity measures and protocols necessary to protect individuals’ personal health information (PHI) stored in the cloud.
In April, hackers accessed nearly 365,000 patients’ and employees’ data by leveraging a social engineering phishing scheme that impersonated a Magellan Health client.
In May, over 287,876 patients’ PHI was exposed after hackers were successful with a phishing attack, gaining access through three separate employee’s emails.
In September, Premera agreed to pay OCR $6.85 million to settle potential violations related to a HIPAA breach that affected more than 10.4 million people. The settlement is the second largest payment to resolve a HIPAA investigation to date, which centered on a 2014 email phishing attack on Premera’s systems that lasted for nine months.
In July, Metropolitan agreed to pay OCR $25,000 to settle potential HIPAA violations stemming from a June 2011 data breach. OCR found that Metropolitan failed to conduct any risk analyses or provide staff security awareness training to prevent security incidents.
In February, Health Share notified over 650,000 members that an unsecured laptop containing individuals’ PHI was stolen from its transportation vendor, GridWorks. Although Health Share’s policies require business associates to use encryption on all devices with PHI, this laptop was not encrypted for unknown reasons.
Although the breach occurred in 2017, Lifespan agreed to settle a potential HIPAA violation related to a stolen laptop for over $1 million in July 2020. OCR found that the health system had systemic non-compliance with HIPAA rules, including failure to encrypt patients’ PHI.
Elite Emergency Physicians- In June, Elite Emergency Physicians reported that its third-party vendor, Central Files, had improperly disposed of patient medical records, impacting over 550,000 patients.
The clinic is facing multiple lawsuits over an employee who accessed the medical records of 1,600 patients without authorization. The lawsuit alleges that the Mayo Clinic did not implement systems or procedures to ensure patients’ health records would be protected and that the former employee accessed those medical records without first obtaining the patients’ consent.
In October, the health department agreed to pay $202,400 for a 2017 breach related to improper termination of a former employee’s access to patient medical records. The former employee returned to the health department eight days after being fired and accessed the system using active credentials. PHI, including names, addresses, and dates of birth was downloaded onto a USB drive.
One of the most common ways to mitigate cybercrime losses is by purchasing cyber liability insurance. However, in 2017, only 30% of healthcare organizations purchased cyber insurance, compared to 90% of organizations in the financial sector. Due to dramatic increases in ransomware losses over the past year and the increased cyber exposure from the high number of employees working remotely, obtaining coverage for a competitive price is becoming increasingly difficult. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis. This will be no different in 2021; breaches and ransomware attacks will continue to occur, thus driving up cyber coverage prices. Those organizations that purchase coverage and work in tandem with their cyber carriers to proactively address potential vulnerabilities will be better positioned as they enter a new year. Healthcare organizations should also work with their brokers to carefully review policy coverage gaps and ensure full liability protection.
For more information on cyber liability insurance, please contact your cyber liability team at Parker, Smith & Feek.
The views and opinions expressed within are those of the author(s) and do not necessarily reflect the official policy or position of Parker, Smith & Feek. While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it.