A spike in large breaches – those affecting at least 500 people – is being driven by an 82 percent year-over-year increase in successful hacking of healthcare organizations.

Aldrin Brown, Editor-in-Chief

October 28, 2017

2 Min Read
Medical persons confer

A continued lax security posture by too many healthcare organizations is making them increasingly attractive targets for cyber criminals, who have executed a record number of successful breaches of HIPAA-protected information this year, federal health officials told MSPmentor.

The 221 major breaches reported under HIPAA regulations so far this year mark a 66-percent increase over the 133 breaches reported for all of 2016, according to our analysis of records from the U.S. Department of Health and Human Services Office of Civil Rights (OCR).

That spike is driven by a dramatic surge in incidents attributed to “Hacking/IT Incidents,” which are already up 82 percent from a year ago.

“The increase in breaches of records involving 500 or more individuals is the key trend that we have observed,” Lou Burton, a media affairs specialist at OCR, said in an email.

“Additionally, reported breaches of 500 or more due to ‘hacking or IT incidents’ are on the rise, which is consistent with the increase in cybersecurity threats aimed at health care organizations,” he added. “Cyber criminals target organizations who devote too little resources to security, which consequently makes such organizations vulnerable targets.”

Helping organizations to harden their defenses is part of OCR’s mission.

“OCR continues to empower entities by providing updated guidance and resources to help these entities mitigate risks that lead to breaches,” Burton said.

The office directs organizations to its HIPAA Security Rule guidance website, which offers information on risk analysis, remote use, mobile devices and ransomware.

Also, Burton said there has been no change in OCR’s approach to settling HIPAA breach cases, despite a seeming lull in the pace of new resolutions.

Last year, HHS collected a record $23.5 million in settlement payments from organizations that failed to properly secure or otherwise mishandled protected health information.  

That was up from just $6.2 million in 2015.

The torrid pace of settlements continued into 2017, with $14.7 million collected by late May.

But there hasn’t been another settlement in more than four months.

“There has been no change in policy,” Burton said.

“When OCR receives a complaint or investigates a breach, there is a period of review in which OCR conducts a thorough investigation and determines what further actions are warranted,” he explained. “OCR had a record year for settlements in 2016 – but this was not the case in prior years, and the number of settlements entered into each year is dependent on a number of factors, including the complexity of the case and the degree of cooperation of the entity being investigated.” 


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like