Healthcare breach roundup: Week of 9/30/24

Healthcare data breaches expose sensitive information of patients and clients. Despite advances in cybersecurity, healthcare organizations remain vulnerable to attacks, largely due to the valuable nature of the data they hold. The following breaches in healthcare were reported this week:

Connally Memorial Medical Center email breach

On September 27, 2024, Connally Memorial Medical Center announced a breach involving unauthorized access to an employee's email account. This incident exposed personal and protected health information (PHI), including Social Security numbers, medical records, and health insurance details. The breach resulted from an unauthorized actor gaining access to email communications, potentially exposing significant patient information. Connally Memorial responded by notifying affected individuals and conducting an investigation to understand the full scope of the breach and reported it to the OCR on September 30, 2024.

Walgreen Co. data breach

On October 1, 2024, Walgreen Co. reported a data breach affecting 1,915 individuals. This breach, caused by the unauthorized access of a laptop, is a reminder of the risks of mishandling portable devices containing sensitive data. Although further details about the nature of the compromised information have not been disclosed, it’s clear that PHI may have been accessed.

Seven Counties Services phishing attack

Seven Counties Services, Inc. reported a phishing attack on October 4, 2024, that occurred between July 19, 2024, and August 12, 2024. The incident began when employees received emails appearing to be from trusted sources, leading them to respond and provide unauthorized access to their email accounts. The phishing attack compromised protected health information, including Social Security numbers, dates of birth, diagnoses, and service dates. The organization responded by flagging external emails, issuing educational materials to staff, and improving email security measures.

Related: Tips to spot phishing emails disguised as healthcare communication

Dohman, Akerlund & Eddy data breach

On October 7, 2024, Dohman, Akerlund & Eddy, LLC (DA&E) notified individuals affected by a data breach that had occurred earlier in the year. The breach was discovered after DA&E experienced a disruption to its IT network on February 28, 2024. Cybersecurity experts later confirmed that an unauthorized party had accessed confidential files containing sensitive consumer information. While the nature of the compromised data remains undisclosed, DA&E’s investigation is ongoing, and affected individuals have been informed of the potential risks.

How healthcare organizations can protect themselves from data breaches

• Strengthen email security: Implement multi-factor authentication (MFA) to ensure only authorized personnel access sensitive accounts. Regularly update passwords, encrypt email communications containing PHI, and train staff to recognize phishing attacks.
• Encrypt devices and data: Encrypt sensitive data on all portable devices, such as laptops, tablets, and external drives, to protect information even if a device is lost or stolen. Ensure encryption is enabled for data at rest and in transit, to safeguard patient data during access or transfer.
• Implement access controls: Limit access to sensitive information based on an employee’s role and responsibilities. Use role-based access controls to minimize the number of individuals who can access PHI. 
• Employee training and awareness: Train staff to detect phishing emails, understand cybersecurity threats, and follow data protection protocols. 
• Monitor networks and systems: Set up systems to regularly monitor network activity for unusual or unauthorized access attempts. Employ automated alerts to detect suspicious activity in real-time, which enables faster responses to breaches or hacking attempts.
• Develop an incident response plan: A clear incident response plan ensures that your team can quickly act to mitigate the damage if a breach occurs. 
• Backup data regularly: Ensure regular backups of critical data to minimize the impact of ransomware attacks or other breaches. Store these backups in a secure, offsite location and ensure they are encrypted.

Read more: Tips for cybersecurity in healthcare

FAQs

Is encryption mandatory for healthcare data under HIPAA?

Encryption is strongly recommended by HIPAA to protect sensitive patient data, particularly when stored or transmitted electronically.

What is the most common cause of data breaches in healthcare?

Phishing attacks are among the most common causes, where employees are tricked into providing credentials or sensitive information, leading to unauthorized access.

What should healthcare organizations do immediately after discovering a breach?

They should secure systems, contain the breach, notify affected individuals and relevant authorities, and investigate the extent of the breach to prevent further damage.