Learning from recent email breaches

In recent months, four HIPAA-covered entities—Southern Bone & Joint Specialists, Connally Memorial Medical Center, Rim Country Health and Rehabilitation, and Michigan Masonic Home—reported email environment breaches that compromised the protected health information (PHI) of thousands of individuals. These incidents stress the importance of robust cybersecurity measures in the healthcare sector.

Reported data breaches

On October 3, 2024, four HIPAA-covered entities reported email account breaches, compromising sensitive patient data. These breaches occurred at Southern Bone & Joint Specialists, Connally Memorial Medical Center, Rim Country Health and Rehabilitation, and Michigan Masonic Home. 

Each organization has responded by securing its email systems and launching investigations with specialized cybersecurity firms. Southern Bone & Joint Specialists completed a file review on August 6, 2024, and confirmed the data breach. Michigan Masonic Home and Connally Memorial Medical Center are enhancing security measures and reviewing data protection policies to prevent future breaches. While no misuse of the exposed data has been reported so far, the risk of identity theft remains a concern.

Michigan Masonic Home's investigation is still ongoing, meaning the total number of individuals affected may increase. The HHS Office for Civil Rights has been notified of all incidents as required by HIPAA regulations.

Why does it matter?

According to a report from the Ponemon Institute, 92% of healthcare organizations experienced at least one cyber attack in the past 12 months. Statista also published the results of a survey that revealed that 41% of organizations had experienced an increase in “e-mail-based cyberattacks in the past 12 months.” 

Email accounts often contain large volumes of sensitive information, making them attractive targets for hackers. These breaches, supported by cybersecurity statistics, demonstrate the growing threat of cyberattacks in healthcare, where unauthorized access to PHI can lead to serious privacy violations. 

In response, organizations must continuously improve their cybersecurity practices. The breaches also stress the importance of workforce training on cyber hygiene and the need for robust email security protocols to safeguard patient data.

Lessons from the breaches

These incidents emphasize the growing threat of cyberattacks targeting healthcare institutions, particularly through email environments. Several lessons can be drawn from these breaches:

• Regular security audits: Healthcare organizations must conduct regular security audits to identify potential vulnerabilities, particularly in email environments. Unauthorized access to employee email accounts remains a common entry point for attackers.
• Prompt detection and response: By promptly identifying unauthorized access and engaging cybersecurity firms, organizations can limit the damage caused by breaches.
• Cybersecurity training: Training employees on cybersecurity best practices reduces the likelihood of successful phishing attacks and unauthorized access to sensitive data.
• Comprehensive data protection: Healthcare providers should implement multi-factor authentication (MFA) and encryption to safeguard sensitive information. Enhancing security policies and procedures, as seen in these cases, can prevent future incidents.
• HIPAA compliant email: Using HIPAA compliant email services like Pauabox Email Suite, ensures that email communications are secure and meet the regulatory requirements for protecting patient data. Features like encryption, audit controls, and secure access minimize the risk of data breaches through email accounts.
• Patient communication and remediation: Offering affected individuals credit monitoring and promptly notifying them of breaches can help mitigate the fallout from exposed data and reassure patients that their healthcare provider is taking the necessary steps to address the issue.

FAQs

What is a HIPAA-covered entity?

A HIPAA-covered entity is any organization or individual that directly handles PHI and is required to follow the regulations of the Health Insurance Portability and Accountability Act (HIPAA). This includes healthcare providers, health plans, and healthcare clearinghouses.

How can healthcare organizations prevent email breaches?

Healthcare organizations can implement MFA, regular security audits, data encryption, and employee training on cybersecurity best practices. They should also have robust incident response plans in place.