When a Healthcare Breach Lands You on the Wall of Shame

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

Healthcare breaches are incredibly difficult for organizations to deal with. Repercussions of a data breach vary greatly depending on what caused the breach to begin with. For example, there’s the struggle of getting your organization back up and running, determining the cause of the breach, notifying patients, taking corrective action, reporting the breach, potentially finding yourself on the infamous Wall of Shame, and more.

The Repercussions of a Data Breach
The immediate repercussions a data breach may vary. Some breaches may leave an organization inoperable for a short, or even long period of time, while others may not. For example, ransomware may require you to retrieve your data from backups, or perhaps you don’t have backups and you’re left with the decision of losing your data or paying the ransom – a tough call that doesn’t guarantee the return of your data either way. On the other hand, maybe your data breach was the result of an employee losing an unencrypted thumb drive with patient data. In such a case, your organization would likely be able to continue functioning despite the incident.

Regardless of the cause of the breach, one thing is certain; under the Health Insurance Portability and Accountability Act (HIPAA), covered entities and their business associates are required to report the breach to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). If the reported breach affected more than 500 individuals, more ramifications ensue.

The Wall of Shame
HHS’ breach portal, often referred to as the “Wall of Shame” is a place no organization wants to end up. Up and running since 2009, the breach portal satisfies a congress mandate for the public to have access to breach information. When a breach is reported to OCR that affected 500 individuals or more, that incident is documented and put on display for everyone to see. The breach portal shows breaches currently under investigation within the last 24 months (yes, you could be on the “wall” for quite some time). Older breaches are also archived and available to the public ongoing.

The wall shows the organization’s name, state, the type of covered entity (i.e., healthcare provider or business associate), how many individuals were affected, the type of breach (i.e. hacking, theft), when the breach was reported, as well as the location of the breached information (i.e. email, paper, films, network server).

The wall has received plenty of criticism since its creation. Some feel that the portal brings organizations long-term embarrassment, highlighting their breach while ignoring their corrective, good-faith efforts to improve their cybersecurity following the incident.

What Can We Learn from the Wall?
Despite the controversy over the wall, it does offer the public a way to look up potential breach information for their healthcare provider, or providers they are considering visiting. The wall also provides insight into the ever-evolving cybersecurity threat landscape. By analyzing the types and locations of data breaches, researchers (and those who are curious) can gather information on the most common breaches to determine the biggest risks to organizations.

A recent paper published by JAMA Internal Medicine looked at the causes of data breaches from Oct. 21, 2009, to Dec. 31, 2017. In total, the research analyzed 1,138 breaches affecting 164 million individuals posted to the wall of shame.

While a significant number of the studied breaches were the result of outside theft (32.5 percent), the findings indicated that over half (53 percent) of the breaches were caused by internal mistakes or neglect. Of the insider mistakes leading to data breaches, mailing/e-mail mistakes including employees clicking on phishing emails, employees forwarding emails with PHI to their personal accounts, and accessing PHI without authorization were leading causes.

These findings serve as an important reminder that insiders are a major risk to organizations. Bulking up employee defenses by providing them with appropriate security training is incredibly important to adequately protect your organization from a data breach – and potentially ending up on the infamous Wall of Shame.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.