Technology has vastly improved the way healthcare organizations share patient information. While the transition from paper to electronic records has certainly not been a smooth one, electronic health record (EHR) systems offer a wealth of benefits to providers and patients—improving outcomes, reducing errors, and facilitating better communication between care teams.
But these benefits come at a cost: having all this data connected and accessible via the internet just isn’t as secure as one might assume. Yes, 256-bit encryption, safety protocols, ISO certifications, and regulatory requirements act as safeguards. But none of that changes the fact that patient data is connected to networks, and electronic health records are sometimes stored in the cloud. A new article from the HIPAA Journal shows an alarming trend: the healthcare industry continues to digitize, data breaches are becoming much more common.
Healthcare data breach trends by the numbers
The HIPAA Journal’s report shows a clear—and timely—narrative. The stats go back to October of 2009, when the Department of Health and Human Services’ Office for Civil Rights (OCR) began publishing the data. Among some of the findings are these concerning trends:
- Breaches have steadily increased since 2009, with a record high 725 reported data breaches in 2023, exposing more than 133 million patient records.
- Since 2018, hacking incidents and ransomware attacks have increased by 239% and 278%, respectively, suggesting that healthcare is being specifically targeted.
- Third-party solutions are increasingly targeted: 93 million of 2023’s exposed records—nearly 70%—involved a third-party point of entry
Keep in mind that these statistics focus only on data breaches where the HIPAA Security Rule was violated and more than 500 patient records were exposed. There are still many more breaches that occur each year but go uninvestigated due the smaller impact. And it’s not only large healthcare providers in the crosshairs: the HIPAA Journal reports that, in 2022, nearly 55% of the financial penalties levied were imposed on small medical practices.
Financial penalties for violations large and small
Of course, these breaches of patient privacy—and trust—aren’t just bad news for the patients. If the OCR finds that HIPAA violations occurred, they can impose fines on the companies investigated. The report reflects that while the record for the highest total fine amounts happened in 2018—nearly $28.7 million total—that’s a result of the egregiousness of the offenses, not the number of them. The 2018 total is spread across just 11 entities, suggesting violations of willful negligence. In 2022, the OCR issued more penalties, doubling the number to 22, while the total amount of those fines is tiny compared to 2018: less than $2.2 million dollars. This far lower total is reflective of the rise of enforcement of smaller organizations—lower stakes violations are penalized at much lower rates.
Any attempt to look for a pattern of enforcement, though, won’t yield much. In 2023, enforcement actions fell to 13, but the total fines and settlements nearly doubled to $4.2 million. As of April 2024, there are four enforcement actions in the books, and the total fines have already exceeded those from 2023. What this tells us is that the OCR is going after violations wherever they occur, by organizations of any size. This is the reason smaller healthcare providers outsource many of their processes to BPOs, who have the infrastructure and expertise to follow privacy regulations.
Or do they? Remember, while “business associates” trailed providers in the number of breaches with just 20 to providers’ 76, 70% of the exposed records came from those 20 data breaches. A single breach at a BPO can expose data for dozens of their clients.
Providers should do their homework
This data isn’t meant to dissuade anyone from outsourcing, but it underscores the need for providers to be diligent about their options by prioritizing data integrity. While this post was being written, UnitedHealth announced it had been the victim of a cyberattack that saw hackers steal health data belonging to “a substantial proportion of the American people.” It’s clear that the entire healthcare supply chain needs to be secured. Any entity along that chain can only control their own operations; what their partners do doesn’t fall under that umbrella. This is why researching their practices, credentials, and history are crucial.
This is especially true for smaller medical providers. As noted in the previous section, they are just as likely to be investigated for violations as larger entities, but they often don’t have the resources to deploy in-house solutions. EMR/EHR data entry can be an inefficient process without the use of either full-time employees or expensive software. This is exactly why so many of these providers turn to BPOs. They have the processes in place to take the busywork out of providers’ hands. Yet the OCR statistics about “business associates” make it plain that this option isn’t without risks.
What’s a small healthcare provider supposed to do?
Process as a service
At ScaleHub, data security is directly built into the foundation of our medical records indexing service. It’s in our company’s DNA: headquartered in Germany, we’re GDPR-compliant, operating under the EU’s strict data protections rules. We also maintain HIPAA-compliance for our American customers. And our global presence means we follow the international standards required by our ISO-27001 certification. But that’s all background.
We built our service with data security in mind, and this goes beyond mere encryption. Using optical character recognition, AI, and the human intelligence of the crowd, our service breaks your very private data into discrete bits of information that just aren’t useful without surrounding context. A medical record number, for example, is broken into multiple parts and divorced from any other identifying information. For a bit more detail on the process, you can see a brief explainer video of how we do it here. If you want to go even deeper about it as it relates to healthcare data specifically, we’ve got a great webinar on the topic.
And when you’re ready to really get into it, reach out to us for a personal introduction. We can go more in-depth into our unique approach to efficiently processing your patient-related documents in a safe, HIPAA-compliant way.
