Healthcare data breaches expose sensitive information of patients and clients. Despite advances in cybersecurity, healthcare organizations remain vulnerable to attacks, largely due to the valuable nature of the data they hold. The following breaches in healthcare were reported this week:
On September 27, 2024, Connally Memorial Medical Center announced a breach involving unauthorized access to an employee's email account. This incident exposed personal and protected health information (PHI), including Social Security numbers, medical records, and health insurance details. The breach resulted from an unauthorized actor gaining access to email communications, potentially exposing significant patient information. Connally Memorial responded by notifying affected individuals and conducting an investigation to understand the full scope of the breach and reported it to the OCR on September 30, 2024.
On October 1, 2024, Walgreen Co. reported a data breach affecting 1,915 individuals. This breach, caused by the unauthorized access of a laptop, is a reminder of the risks of mishandling portable devices containing sensitive data. Although further details about the nature of the compromised information have not been disclosed, it’s clear that PHI may have been accessed.
Seven Counties Services, Inc. reported a phishing attack on October 4, 2024, that occurred between July 19, 2024, and August 12, 2024. The incident began when employees received emails appearing to be from trusted sources, leading them to respond and provide unauthorized access to their email accounts. The phishing attack compromised protected health information, including Social Security numbers, dates of birth, diagnoses, and service dates. The organization responded by flagging external emails, issuing educational materials to staff, and improving email security measures.
Related: Tips to spot phishing emails disguised as healthcare communication
On October 7, 2024, Dohman, Akerlund & Eddy, LLC (DA&E) notified individuals affected by a data breach that had occurred earlier in the year. The breach was discovered after DA&E experienced a disruption to its IT network on February 28, 2024. Cybersecurity experts later confirmed that an unauthorized party had accessed confidential files containing sensitive consumer information. While the nature of the compromised data remains undisclosed, DA&E’s investigation is ongoing, and affected individuals have been informed of the potential risks.
Read more: Tips for cybersecurity in healthcare
Encryption is strongly recommended by HIPAA to protect sensitive patient data, particularly when stored or transmitted electronically.
Phishing attacks are among the most common causes, where employees are tricked into providing credentials or sensitive information, leading to unauthorized access.
They should secure systems, contain the breach, notify affected individuals and relevant authorities, and investigate the extent of the breach to prevent further damage.