Data Breaches Exposing Protected Health Information Are Surging

The number of large data breaches, those involving 500 or more people, exposing protected health information has increased exponentially in the last few years, and ransomware and hacking are the primary cyber threats in health care. There has been a 256% increase in large breaches reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that involve hacking and a 264% increase in ransomware reports just in the last five years. Further, large breaches reported to the OCR in 2023 affected over 134 million people, which is a 141% increase since 2022.

Figures demonstrating the surge in large data breaches exposing protected health information were recently released in two annual reports delivered to Congress outlining compliance and enforcement trends for the Health Insurance Portability and Accountability Act. In the reports, the OCR said it investigated 626 data breaches involving at least 500 people in 2022, which marks a 107% increase since 2018, when 302 large breaches were reported. While HHS has recently pushed hospitals to restrict using online tracking technology, Congress is also turning its attention to data privacy, and President Joe Biden's administration along with federal lawmakers are ramping up scrutiny over hospitals' and others' protection of confidential data.

United States Senator, Bill Cassidy, recently released a report calling for the modernization of HIPAA to ensure better protection of patient data among the continued progress in development of online technology. Senator Cassidy explained that emerging questions center on how to handle data generated by wearable devices, online searches revealing health conditions, and collecting geolocation data showing consumers' visits to clinics or treatment centers. Senator Cassidy calls for Congress to act and emphasizes a need for comprehensive data privacy reform.

Recommendations from OCR for health care providers, health plans, clearinghouses, and business associates covered by HIPAA include taking the following best practices to mitigate or prevent cyber threats:

• Review vendor and contractor relationships to ensure business associate agreements are in place and to address breach/security incident obligations;
• Integrate risk analysis and risk management into business processes ensuring they are conducted regularly, especially when new technologies and business operations arise;
• Ensure audit controls are in place to record and examine information system activity;
• Implement regular review of information system activity;
• Use multi-factor authentication to ensure only authorized users access protected health information;
• Encrypt protected health information to guard against unauthorized access;
• Incorporate lessons learned from previous incidents into security management processes; and
• Provide training regularly that is specific to organization and job responsibilities and that reinforces workforce members' critical role in protecting privacy and security.

Paul Hastings attorneys will continue to monitor these and other developments as we support our privacy and cybersecurity clients. If you have any questions, please do not hesitate to contact any member of our team.