Medical persons confer Thinkstock Photos

Lax Security to Blame For Record Pace of HIPAA Breaches, Feds Say

A spike in large breaches – those affecting at least 500 people – is being driven by an 82 percent year-over-year increase in successful hacking of healthcare organizations.

A continued lax security posture by too many healthcare organizations is making them increasingly attractive targets for cyber criminals, who have executed a record number of successful breaches of HIPAA-protected information this year, federal health officials told MSPmentor.

The 221 major breaches reported under HIPAA regulations so far this year mark a 66-percent increase over the 133 breaches reported for all of 2016, according to our analysis of records from the U.S. Department of Health and Human Services Office of Civil Rights (OCR).

That spike is driven by a dramatic surge in incidents attributed to “Hacking/IT Incidents,” which are already up 82 percent from a year ago.

“The increase in breaches of records involving 500 or more individuals is the key trend that we have observed,” Lou Burton, a media affairs specialist at OCR, said in an email.

“Additionally, reported breaches of 500 or more due to ‘hacking or IT incidents’ are on the rise, which is consistent with the increase in cybersecurity threats aimed at health care organizations,” he added. “Cyber criminals target organizations who devote too little resources to security, which consequently makes such organizations vulnerable targets.”

Helping organizations to harden their defenses is part of OCR’s mission.

“OCR continues to empower entities by providing updated guidance and resources to help these entities mitigate risks that lead to breaches,” Burton said.

The office directs organizations to its HIPAA Security Rule guidance website, which offers information on risk analysis, remote use, mobile devices and ransomware.

Also, Burton said there has been no change in OCR’s approach to settling HIPAA breach cases, despite a seeming lull in the pace of new resolutions.

Last year, HHS collected a record $23.5 million in settlement payments from organizations that failed to properly secure or otherwise mishandled protected health information.  

That was up from just $6.2 million in 2015.

The torrid pace of settlements continued into 2017, with $14.7 million collected by late May.

But there hasn’t been another settlement in more than four months.

“There has been no change in policy,” Burton said.

“When OCR receives a complaint or investigates a breach, there is a period of review in which OCR conducts a thorough investigation and determines what further actions are warranted,” he explained. “OCR had a record year for settlements in 2016 – but this was not the case in prior years, and the number of settlements entered into each year is dependent on a number of factors, including the complexity of the case and the degree of cooperation of the entity being investigated.” 


Send tips and news to [email protected].

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.