Since 2012, healthcare providers and other healthcare related organizations have reported thousands of breaches to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), impacting over 350 Million health records of patients, making cybersecurity within healthcare a crisis. The good news, over the years, healthcare organizations are becoming more aware of the risk they face.
Case studies based on breaches reported to the HHS OCR's portal.
At Intellegi, we believe that by helping healthcare providers understand the stories behind the breaches affecting the lives of millions of their patients is an important step towards changing behavior. This will lead to the development of more efficient strategies to mitigate cybersecurity breaches and safeguarding patients’ data.
The name of each organization referred in our case studies is kept confidential, however, the story behind the breach reveals important information about the incident itself as reported by the organization. Each case tells us something unique about what contributed to a data breach.
In 2015, AXG Inc., a healthcare organization based in Indiana, experienced the largest U.S. health data breach in history when cyberattackers gained access to their IT system via an undetected and continuous cyberattack. The attack exposed the electronic protected health information (ePHI) of nearly 79 million patients and resulted in AXG paying $16 million dollars to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).
The incident occurred after cyber-attackers infiltrated AXG’s system through spear phishing emails sent to an AXG subsidiary and at least one employee responded to the malicious email and opened the door to further attacks.
In 2021, the SFHCC Community Care Plan, a covered entity (CE) based in Florida, reported it had experienced a cybersecurity breach. This breach occurred when an employee emailed the electronic protected health information (ePHI) of over 48,000 individuals to her personal email account.
In this case, had there been proper data governance in place at SFHCC Community Care Plan prior to this incident occurring then several preventative measures could have been taken to ensure this type of breach do not happen.
In 2015, EYX Health Plan, a New York health services corporation, has payed over $5 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The breach, which began on or before December 23, 2013 and lasted until September 9th of 2015, resulted in cyber-attackers gaining unauthorized access to their information technology systems and exposed over 9 million patient records.
This case study serves as a perfect example as to why data governance is so important in today’s healthcare industry.
Data governance is a critical component of cybersecurity in healthcare, as evidenced by the 2018 breach at Tate Associated Health. In this case, a business associate providing ancillary services for the covered entity (Tate Associated Health) neglected to observe adequate quality control procedures. This resulted in the visible disclosure of protected health information (PHI) through the envelope window during a mailing of over 70,000 member identification cards.
This breach highlighted the importance of having a holistic data governance framework. Far beyond technology, this case emphasizes how cybersecurity and data privacy culture can provide ample protection for clients’ sensitive information.
Community Central Health (CCH) is a large healthcare provider based in California with over 600,000 patients. In 2021, the organization suffered from a devastating ransomware attack that compromised the protected health information of their entire patient population. The PHI involved included names, Social Security numbers, addresses, dates of birth, and clinical information, leading to the shut down of its systems. After investigation into the breach, it was evident that inefficient data governance — very common in healthcare was at the root of this cyber incident.
In response to the breach, Community Central Health provided generous services as a show of support for those affected. These offerings included identity theft protection and resolution assistance in addition to credit monitoring.