Healthcare breach roundup: Week of 10/28/24

Healthcare data breaches expose sensitive information of patients and clients. Despite advances in cybersecurity, healthcare organizations remain vulnerable to attacks, largely due to the valuable nature of the data they hold. The following breaches in healthcare were reported this week:

Mystic Valley Elder Services

Mystic Valley Elder Services, a nonprofit in Massachusetts offering home-based care to elders and adults with disabilities, encountered a cyberattack that exposed protected health information (PHI). The organization discovered unauthorized access to its systems on April 5, 2024, prompting an investigation by a digital forensics firm. The investigation confirmed that sensitive data may have been accessed, including Social Security numbers, passport details, health insurance information, and medical records. Following a thorough file review, Mystic Valley determined on July 11, 2024, that the PHI of 85,133 individuals was compromised. They reported the incident to the OCR on October 28, 2024. Notifications to affected individuals are now underway, with credit monitoring and identity theft protection services provided.

Family Medical Center

Family Medical Center, a healthcare provider in Maryland, reported a network server breach involving hacking and unauthorized access to sensitive data. The incident, which impacted approximately 2,100 individuals, was detected as a hacking/IT event and was reported to the OCR on October 29, 2024. 

Regence BlueCross BlueShield

An incident at Regence BlueCross BlueShield reported on October 29, 2024, a health plan based in Oregon, resulted in unauthorized access to physical documents, leading to a breach reported as “unauthorized access/disclosure.” This breach, affecting 610 individuals, involved paper records and likely included personal information relevant to the health plan’s membership. 

Potomac Medical Aesthetics, LLC

In another incident involving unauthorized access, Potomac Medical Aesthetics, a Maryland-based healthcare provider, reported an email breach on November 1, 2024, that exposed the personal and medical information of 2,876 individuals. This “unauthorized access/disclosure” incident stresses the risks associated with email communications in healthcare settings. Potomac Medical Aesthetics has since notified affected individuals and is offering them guidance on protecting their information. 

Related: Why HIPAA breaches related to email are so common

How healthcare organizations can protect themselves from data breaches

• Strengthen email security: Implement multi-factor authentication (MFA) to ensure only authorized personnel access sensitive accounts. Regularly update passwords, encrypt email communications containing PHI with services like Paubox, and train staff to recognize phishing attacks.
• Encrypt devices and data: Encrypt sensitive data on all portable devices, such as laptops, tablets, and external drives, to protect information even if a device is lost or stolen. Ensure encryption is enabled for data at rest and in transit, to safeguard patient data during access or transfer.
• Implement access controls: Limit access to sensitive information based on an employee’s role and responsibilities. Use role-based access controls to minimize the number of individuals who can access PHI. 
• Employee training and awareness: Train staff to detect phishing emails, understand cybersecurity threats, and follow data protection protocols. 
• Monitor networks and systems: Set up systems to regularly monitor network activity for unusual or unauthorized access attempts. Employ automated alerts to detect suspicious activity in real-time, which enables faster responses to breaches or hacking attempts.
• Develop an incident response plan: A clear incident response plan ensures that your team can quickly act to mitigate the damage if a breach occurs. 
• Backup data regularly: Ensure regular backups of critical data to minimize the impact of ransomware attacks or other breaches. Store these backups in a secure, offsite location and ensure they are encrypted.

Read more: Tips for cybersecurity in healthcare

FAQs

Is encryption mandatory for healthcare data under HIPAA?

Encryption is strongly recommended by HIPAA to protect sensitive patient data, particularly when stored or transmitted electronically.

What is the most common cause of data breaches in healthcare?

Phishing attacks are among the most common causes, where employees are tricked into providing credentials or sensitive information, leading to unauthorized access.

What should healthcare organizations do immediately after discovering a breach?

They should secure systems, contain the breach, notify affected individuals and relevant authorities, and investigate the extent of the breach to prevent further damage.