Healthcare breach roundup: Week of 11/04/24

Healthcare data breaches expose sensitive information of patients and clients. Despite advances in cybersecurity, healthcare organizations remain vulnerable to attacks, largely due to the valuable nature of the data they hold. The following breaches in healthcare were reported this week:

Embody Performance & Recovery breach 

Embody Performance & Recovery, a healthcare provider in Missouri, reported an unauthorized access incident on November 4, 2024. The breach involved unauthorized access to an employee’s email, impacting the personal information of 1,100 individuals. Although the breach did not expose sensitive financial, Social Security, or detailed medical records, it prompted the organization to review and enhance its security practices to prevent future incidents. 

Thompson Coburn LLP data breach

Thompson Coburn, a Missouri-based law firm specializing in data breach law, experienced a hacking incident impacting data from Presbyterian Healthcare Services (PHS) in New Mexico. The breach, reported on November 4, 2024, exposed personal health data for an estimated 305,088 individuals, though exact figures remain unclear. According to the notice by Thompson Coburn LLP, detected on May 29, 2024, the attack involved unauthorized network access, and investigators found that files were accessed and stolen within two days. The compromised information included Social Security numbers, treatment details, patient account numbers, and clinical information.

Planned Parenthood of Montana ransomware attack

Planned Parenthood of Montana fell victim to a ransomware attack on August 28, 2024, with attackers gaining network access and exfiltrating sensitive data over five days. The breach exposed PHI for 18,003 individuals, including names, dates of birth, medical record numbers, health insurance information, and clinical details like diagnoses and treatment information. Notifications were sent to affected individuals by November 5, 2024.

Universal Health Corporation email breach

Universal Health Corporation, a Virginia-based medical group, discovered unauthorized access to employee email accounts on July 29, 2024. The compromised email accounts contained the PHI of 583 individuals, including Social Security numbers, driver’s license information, medical record numbers, and details related to medical treatment.

Although no misuse of the data has been reported, Universal Health Corporation has advised affected individuals to monitor their accounts for suspicious activity. This incident, reported on November 6, 2024, reinforces the risks associated with unprotected email accounts. 

Orthopedics Rhode Island network breach

Orthopedics Rhode Island reported a network breach that occurred between September 4 and September 8, 2024. Suspicious activity was identified on September 7, and an investigation confirmed unauthorized access to the organization’s network, potentially exposing names, addresses, health insurance claims, diagnosis information, and x-ray images.

As reported to the OCR on November 6, the breach impacted 500 individuals. Orthopedics Rhode Island advised patients to be vigilant against identity theft and fraud. 

How healthcare organizations can protect themselves from data breaches

• Strengthen email security: Implement multi-factor authentication (MFA) to ensure only authorized personnel access sensitive accounts. Regularly update passwords, encrypt email communications containing PHI, and train staff to recognize phishing attacks.
• Encrypt devices and data: Encrypt sensitive data on all portable devices, such as laptops, tablets, and external drives, to protect information even if a device is lost or stolen. Ensure encryption is enabled for data at rest and in transit, to safeguard patient data during access or transfer.
• Implement access controls: Limit access to sensitive information based on an employee’s role and responsibilities. Use role-based access controls to minimize the number of individuals who can access PHI. 
• Employee training and awareness: Train staff to detect phishing emails, understand cybersecurity threats, and follow data protection protocols. 
• Monitor networks and systems: Set up systems to regularly monitor network activity for unusual or unauthorized access attempts. Employ automated alerts to detect suspicious activity in real-time, which enables faster responses to breaches or hacking attempts.
• Develop an incident response plan: A clear incident response plan ensures that your team can quickly act to mitigate the damage if a breach occurs. 
• Backup data regularly: Ensure regular backups of critical data to minimize the impact of ransomware attacks or other breaches. Store these backups in a secure, offsite location and ensure they are encrypted.

Read more: Tips for cybersecurity in healthcare

FAQs

Is encryption mandatory for healthcare data under HIPAA?

Encryption is strongly recommended by HIPAA to protect sensitive patient data, particularly when stored or transmitted electronically.

What is the most common cause of data breaches in healthcare?

Phishing attacks are among the most common causes, where employees are tricked into providing credentials or sensitive information, leading to unauthorized access.

What should healthcare organizations do immediately after discovering a breach?

They should secure systems, contain the breach, notify affected individuals and relevant authorities, and investigate the extent of the breach to prevent further damage.