Learning from the TriHealth Physician data breach 

On November 14, 2024, TriHealth Physician Partners reported a data breach from a security incident at one of its vendors. The breach exposed sensitive patient information, including names, addresses, dates of birth, Social Security numbers, claims information, and medical data. Notifications were sent to affected individuals, urging them to take protective measures. 

What happened 

The breach traces back to October 23, 2024, when TriHealth discovered a data security incident involving an external vendor. The incident specifically impacted older documents from "For Women," an OB/GYN group acquired by TriHealth in 2020.

Hackers gained unauthorized access to these historical records but did not infiltrate TriHealth’s primary network or obtain records created after the acquisition. Following an investigation, TriHealth confirmed that confidential patient data had been compromised.

The impact of the breach

The TriHealth Physician Partners breach affected 27,426 individuals, exposing a wide range of sensitive information. The compromised data varied by individual and included personal details such as names, addresses, and dates of birth, as well as sensitive information like Social Security numbers, medical claims data, and other confidential medical records. 

TriHealth’s response to the breach

After discovering the breach, TriHealth took several steps:

• Conducted an investigation to assess the scope of the incident.
• Worked with the vendor to identify security vulnerabilities.
• Notified affected patients via breach notification letters starting November 6, 2024.

The letters detailed the specific information exposed and provided resources for those impacted, including guidance on mitigating risks.

How healthcare organizations can protect themselves from data breaches

• Strengthen email security: Implement multi-factor authentication (MFA) to ensure only authorized personnel access sensitive accounts. Regularly update passwords, encrypt email communications containing PHI, and train staff to recognize phishing attacks.
• Encrypt devices and data: Encrypt sensitive data on all portable devices, such as laptops, tablets, and external drives, to protect information even if a device is lost or stolen. Ensure encryption is enabled for data at rest and in transit, to safeguard patient data during access or transfer.
• Implement access controls: Limit access to sensitive information based on an employee’s role and responsibilities. Use role-based access controls to minimize the number of individuals who can access PHI. 
• Employee training and awareness: Train staff to detect phishing emails, understand cybersecurity threats, and follow data protection protocols. 
• Monitor networks and systems: Set up systems to regularly monitor network activity for unusual or unauthorized access attempts. Employ automated alerts to detect suspicious activity in real-time, which enables faster responses to breaches or hacking attempts.
• Develop an incident response plan: A clear incident response plan ensures that your team can quickly act to mitigate the damage if a breach occurs. 
• Backup data regularly: Ensure regular backups of critical data to minimize the impact of ransomware attacks or other breaches. Store these backups in a secure, offsite location and ensure they are encrypted.

Read more: Tips for cybersecurity in healthcare

FAQs

Is encryption mandatory for healthcare data under HIPAA?

Encryption is strongly recommended by HIPAA to protect sensitive patient data, particularly when stored or transmitted electronically.

What is the most common cause of data breaches in healthcare?

Phishing attacks are among the most common causes, where employees are tricked into providing credentials or sensitive information, leading to unauthorized access.

What should healthcare organizations do immediately after discovering a breach?

They should secure systems, contain the breach, notify affected individuals and relevant authorities, and investigate the extent of the breach to prevent further damage.