Healthcare breach roundup: Week of 11/11/24

The following breaches in healthcare were reported this week:

Familylinks, Inc. data breach

Familylinks, Inc., a healthcare organization based in Pennsylvania, reported a data breach on November 12, 2024, involving unauthorized access to an employee’s email account. The breach affected the personal information of 3,775 individuals, including protected health information (PHI) such as names, dates of birth, health conditions, and insurance details. The breach was discovered after the organization noticed suspicious activity in its email system. Familylinks, Inc. has notified the affected individuals and is working to enhance its security protocols to prevent future incidents.

Liberty Endo breach

Liberty Endo, a Missouri-based healthcare provider, reported an unauthorized access incident involving email accounts on November 13, 2024. The breach affected the personal information of 942 individuals. While the breach did not involve sensitive financial data or detailed medical records, the incident is a reminder of the risks of email-based attacks. 

Hopscotch Health Management data breach

Hopscotch Health Management, a healthcare organization based in Illinois, experienced a data breach after unauthorized access to sensitive information. The breach involved 4,945 individuals and was linked to a compromised internal system. Exposed data included personal details like Social Security numbers, addresses, and health insurance information. This breach was reported to the OCR on November 14, 2024. 

TriHealth Physician Partners breach

TriHealth Physician Partners, an Ohio-based healthcare organization, faced a data breach related to historical documents of the For Women entity. The breach, reported on November 14, 2024, involved the personal health data of over 27,000 individuals. The exposed information included names, Social Security numbers, medical conditions, and lab results. This breach occurred due to unauthorized access to historical files, showing the vulnerabilities that may arise from mergers and acquisitions or third-party vendor relationships.

Aspen Healthcare Services ransomware attack

Aspen Healthcare Services, a healthcare provider, was targeted in a ransomware attack on October 22, 2024, and reported the breach on November 15, 2024. The attack led to unauthorized access to sensitive consumer and patient data. This incident affected 7195 individuals, and exposed data included Social Security numbers, health records, and insurance IDs. 

Athenahealth data breach

Athenahealth, a healthcare technology company, experienced a data breach involving unauthorized access to patient information. The breach, submitted in mid-November 2024, impacted 1,974 individuals. Exposed information included patient names, addresses, medical conditions, and insurance details. 

Option Care Health data breach

Option Care Health, a provider of home and alternate site infusion services, reported a data breach involving unauthorized access to employee email accounts on November 15, 2024. This breach affected 2,897 individuals and exposed data including PHI. 

How healthcare organizations can protect themselves from data breaches

• Strengthen email security: Implement multi-factor authentication (MFA) to ensure only authorized personnel access sensitive accounts. Regularly update passwords, encrypt email communications containing PHI, and train staff to recognize phishing attacks.
• Encrypt devices and data: Encrypt sensitive data on all portable devices, such as laptops, tablets, and external drives, to protect information even if a device is lost or stolen. Ensure encryption is enabled for data at rest and in transit, to safeguard patient data during access or transfer.
• Implement access controls: Limit access to sensitive information based on an employee’s role and responsibilities. Use role-based access controls to minimize the number of individuals who can access PHI. 
• Employee training and awareness: Train staff to detect phishing emails, understand cybersecurity threats, and follow data protection protocols. 
• Monitor networks and systems: Set up systems to regularly monitor network activity for unusual or unauthorized access attempts. Employ automated alerts to detect suspicious activity in real-time, which enables faster responses to breaches or hacking attempts.
• Develop an incident response plan: A clear incident response plan ensures that your team can quickly act to mitigate the damage if a breach occurs. 
• Backup data regularly: Ensure regular backups of critical data to minimize the impact of ransomware attacks or other breaches. Store these backups in a secure, offsite location and ensure they are encrypted.

Read more: Tips for cybersecurity in healthcare

FAQs

Is encryption mandatory for healthcare data under HIPAA?

Encryption is strongly recommended by HIPAA to protect sensitive patient data, particularly when stored or transmitted electronically.

What is the most common cause of data breaches in healthcare?

Phishing attacks are among the most common causes, where employees are tricked into providing credentials or sensitive information, leading to unauthorized access.

What should healthcare organizations do immediately after discovering a breach?

They should secure systems, contain the breach, notify affected individuals and relevant authorities, and investigate the extent of the breach to prevent further damage.