Expensive products often denote quality. Paying more for something typically means it’s made better or has more valuable components. A luxury car is more likely than lower-priced models to have a premium sound system, higher-quality interior materials, and a smoother ride.
However, in the world of HIPAA violations, expensive certainly is not a good thing. The average cost for a healthcare data breach is $9.8 million. That’s $3.7 million more than the average for finance, the second-costliest industry for data breaches.
Healthcare data breaches have been the most expensive for 14 years in a row. In 2023, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported a 239 percent increase in hacking-related data breaches between January 1, 2018 and September 30, 2023.
Earlier this year, healthcare billing and data systems provider Change Healthcare fell victim to a ransomware attack by the ALPHV/Blackcat ransomware group. The attack disrupted hospitals, medical offices and pharmacies nationwide, with a financial impact reported at a staggering $872 million.
Why do so many healthcare entities fail to comply with HIPAA? Not all violations are intentional, but a few of the most common HIPAA violations that have resulted in financial penalties consist of insufficient electronic protected health information (ePHI) access controls, failure to use encryption or an equivalent measure to safeguard ePHI on portable devices and the lack of a HIPAA-compliant business associate agreement (BAA).
In addition to the criminal and financial penalties sometimes levied for HIPAA violations, data breaches impact healthcare entities through lost patient trust and a damaged reputation. For smaller healthcare providers, a data breach and subsequent downtime can force them to close permanently due to a lack of financial resources.
The Importance of a Secure Patient Communication System
Healthcare practices don’t have to spend thousands of dollars to stay compliant with HIPAA regulations or be ready in the case of an audit by OCR. As we mentioned in a recent blog, healthcare phone systems that streamline patient communication while ensuring compliance with regulatory requirements are a strategic asset for healthcare practices of all sizes.
Voice over Internet Protocol (VoIP) platforms address the unique operational needs of healthcare practices, producing efficient call management, secure communication and enhanced patient engagement. They are equipped with advanced security features, such as encryption, to keep patient data secure during transmission and storage.
In addition to costing less than traditional phone service, all-in-one VoIP healthcare phone systems offer medical groups a multitude of advanced calling and data storage features (including video calling), improved voice quality, elimination of long-distance calling fees and 24/7 access to contacts, files and features. That easier access to patient data often results in better evidence-based decision-making.
What occurs when healthcare providers fail to focus on HIPAA compliance? Look at this list of the five biggest healthcare data breaches.
1. Anthem, Inc.
The costliest data breach in United States history belongs to this health plan. In January 2015, Anthem disclosed that a series of hacking cyberattacks resulted in the theft of 78.8 million patient records, including names, home addresses, dates of birth and Social Security numbers.
Along with the impermissible disclosure of ePHI, OCR found multiple other violations, from failure to conduct an enterprise-wide risk analysis and identify and respond to suspected or known security incidents to insufficient procedures to regularly review information system activity and inadequate technical controls to prevent unauthorized ePHI access. Anthem agreed in 2018 to a record-breaking settlement of $16,000,000 for a class-action lawsuit for the data breach victims and the penalty of $16 million paid to OCR for HIPAA violations.
2. American Medical Collection Agency (AMCA)
In 2019, AMCA provided notice of a data breach that affected 26,059,725 across multiple states. The company, a debt collector for medical service providers, including Quest Diagnostics and LabCorp, found that an unauthorized individual had access from August 2018 to March 2019 and stole sensitive data, such as names, payment card information, Social Security numbers and some medical test information.
AMCA was hit with a $21 million penalty, although it was suspended through a 2021 settlement with a coalition of 41 state Attorneys General. If the company defaults on the settlement agreement terms, it will be required to pay the initial amount.
As part of the settlement, AMCA agreed to create and implement an information security program, use a third party to perform information security assessments and continue cooperating with the attorneys general in investigations related to the data breach. It was also required to employ a qualified chief information security officer.
3. Welltok, Inc.
As noted by the HIPAA Journal, in May 2023, SaaS provider Welltok was the victim of a global cyberattack by the Clop group. The group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution to attack more than 2,600 companies globally. Through the breach, the hackers received unauthorized access to full names, email addresses, physical addresses, telephone numbers, Social Security and Medicare/Medicaid ID numbers and health insurance details.
The number of individuals affected by this breach was initially listed as 8,493,379, but that number has risen to 14,762,475. An OCR penalty has yet to be issued.
4. Kaiser Foundation Health Plan
A subsidiary of Kaiser Permanente, this health plan notified OCR of a data breach in April of this year that affected 13.4 million current and former patients. It’s the largest reported breach involving website tracking technologies. Data procured from the breach included names, IP addresses and sign-in statuses but no PHI or other sensitive data. The tracking technologies at the center of this breach have since been removed from the health plan’s websites and mobile applications.
5. HCA Healthcare
The largest healthcare system in the U.S. announced in July 2023 that cybercriminals gained unlawful access to an external storage location utilized to automate the formatting of its email messages. The hacking incident exposed the names, addresses, birth dates and other personal information of 11,270,000 individuals in 20 states.
Although no clinical or financial information was stolen through the hacking, multiple class-action lawsuits have been filed against the health system in numerous states. As of September 2024, OCR is still investigating the incident.
Remain HIPAA-Compliant with RingRx
At RingRx, our HIPAA-compliant phone system was built exclusively for healthcare practices and guarantees compliance. Upon starting your service, we offer a signed BAA, meaning you don’t have to worry about security when communicating with your patients. Our goal is to help you update legacy phone systems and modernize your practice, all while staying 100 percent HIPAA-compliant.
Start your free 14-day trial of RingRx
