June 27, 2023
The healthcare sector has experienced a surge in privacy breaches and compromised data incidents. The danger of illegal access and compromised patient records has grown significantly due to the increasing digitization of medical data systems.
Take the recent privacy breaches that occurred in three prominent health institutions. These incidents emphasize the urgent need for robust security measures and proactive strategies.
Examining these actual cases gives a glimpse into the complex challenges faced by the healthcare industry and the potential solutions to strengthen the protection of patient data.
Recent News Headlines
SoutheastHealth’s Statement on Potential Vendor Breach
SoutheastHealth, a medical facility in Cape Girardeau, Missouri, has issued a statement addressing a possible data breach associated with a vendor named Intellihartx (ITX).
The healthcare organization became aware of the massive breach after a patient reported receiving a letter from Intellihartx stating that their protected health information may have been exposed and compromised.
According to SoutheastHealth, the reported ITX breach compromises several data types, including names, addresses, dates of birth, Social Security numbers, insurance information, patient diagnoses, and billing details.
In light of this incident, SoutheastHealth stressed that it does not have an active business relationship with Intellihartx. The medical facility also stated in its official statement that “the vendor could not confirm having sent any formal notification of this potential breach to SoutheastHEALTH. Doing so is a requirement based on the HIPAA Breach Notification Rule.”
CoxHealth Data Compromise: Hacking of Fortra GoAnywhere File Transfer Solution
CoxHealth, based in Springfield, Missouri, has recently confirmed a security breach resulting from a cyberattack on its billing vendor, Intellihartx, in January 2023.
The attack, carried out by the Clop ransomware group, exploited a vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution. As a result, sensitive patient data was accessed. The attackers also demanded a ransom to prevent its public release.
The attack compromised the protected health information of potentially up to 203,000 patients. The stolen data includes personal information, including names, addresses, birth dates, Social Security numbers, medical diagnoses, and billing information. The 203,000 figure represents the maximum number of potentially affected patients, as it was challenging to determine the exact number with certainty.
Intellihartx has taken measures to assist affected individuals. They have also offered complimentary credit monitoring and identity theft protection services to mitigate any potential damages caused by compromised data.
Metro Health System Employee Privacy Breach: 15-Year Unauthorized Access
Metro Health System in Cleveland, Ohio, recently uncovered an incident involving an employee gaining unauthorized access to patient records. The discovery was made on April 27, 2023, prompting a subsequent investigation that revealed the earliest incident dating back to 2008, implying a longstanding case of unauthorized access that lasted for 15 years.
The accessed information primarily included patient names, dates of birth, and clinical details. No Social Security numbers or financial information were compromised. Per its penalties policy, Metro Health has disciplined the employee behind the privacy breach incidents.
Thus far, no evidence suggests that patient data was further disclosed or misused. Efforts are underway to inform the affected individuals about the incident, which will be through mail notifications.
Metro Health is also taking proactive measures to enhance its privacy practices, including providing additional training to its workforce to improve security and ensure better compliance.
Long-Term Effects of Privacy Breaches in Healthcare
Privacy breaches compromise healthcare and can be extensive, costly, and damaging. Beyond the obvious stolen files and network disruptions, the consequences can extend to patient health, HIPAA noncompliance fines, and a tarnished reputation with industry partners.
Organizations must prioritize implementing robust cybersecurity measures not only for security but also for financial reasons.
Data loss
Compromised or inaccessible patient data can severely impact healthcare and should be addressed immediately. This leads to lost revenue as patients are redirected elsewhere while additional IT resources are required to repair the network.
Organizations may feel compelled to pay for data retrieval in ransomware cases to avoid prolonged network downtime. However, the chances of recovering all locked data are slim, as evidenced by a California health system facing over two weeks of network disruption with incomplete data recovery.
Noncompliance fines
The US Department of Health and Human Services (HHS) places significant emphasis on compliance, and the Safe Harbor Bill factors an organization’s cybersecurity level when determining fines for security incidents.
Delays in implementing data protection increase organizational liability, which could also lead to higher fines.
Damaged reputation
Privacy breaches can tarnish a healthcare organization’s reputation, particularly if it becomes evident that proper cyber defenses are lacking. Customers, patients, and industry partners may lose trust and confidence in the organization for failing to protect sensitive details like patient health information.
Repairing this damaged reputation could even take longer than dealing with the actual breach.
