August 2022 Healthcare Breach Report

Business associates had another bad month in August, with more than three times the number of patient records breached than covered entities. Business associates reported 2,817,598 records breached in August, while covered entities tallied 898,177 breached files. Data breaches affected 3,715,755 records containing protected health information (PHI) during August. 

In August 2022, there were 48 large-scale breaches reported, 34 of which affected healthcare providers. These 34 incidents compromised the PHI of 751,869 individuals, representing 20.2% of patients affected by the August incidents. 

Business associates reported nine additional incidents that affected 2,817,598 patients, representing 75.8% of patients affected. 

Five health plans also reported incidents affecting 146,308 patients and representing almost 4% of affected patients. 

In August, 34 breaches resulted from hacking incidents. There were ten breaches caused by unauthorized access or disclosure of PHI, two incidents involving theft, and two resulting from loss of PHI.

August 2022 Healthcare Breaches and Hacking

Cybercriminals are still busy as hacking continued its streak at the top of the list of causes of healthcare breaches in August 2022. The 34 hacking incidents reported in August affected the PHI of 2,311,875 patients. These 47 incidents represented 97.5% of all reported records breached during the month.

Entities affected by hacking:

• 25 healthcare providers, 736,711 patients, 31.9% of patients affected by hacking
• 5 business associates, 1,429,038 patients, 61.8% of patients affected by hacking
• 4 health plans, 145,604 patients, 6.3% of patients affected by hacking

Types of hacking incidents:

• 26 network server hacks, 2,129,880 patients, 92.1% of patients affected by hacking
• 7 email hacks, 178,995 patients, 7.8% of patients affected by hacking
• 1 electronic medical records systems/network server hack, 3,000 patients, 0.1% of patients affected by hacking

How to Prevent Hacking Incidents

As hacking incidents have become the leading cause behind healthcare breaches for several years, minimizing your risk of being targeted is crucial.

Security Risk Assessments and Remediation

Security risk assessments (SRAs) are vital for security and compliance. An SRA aims to identify weaknesses and vulnerabilities in your security practices to prepare yourself against potential threats. Once SRAs have been conducted, it is essential to create remediation plans to address any identified deficiencies.

Employee Cybersecurity Training

A significant portion of hacking incidents results from phishing emails. This is why employee cybersecurity training is essential to your organization’s overall security posture. Employees should be trained on recognizing phishing attempts and what to do if they suspect an incident has occurred.

August 2022 Healthcare Breaches and Unauthorized Access or Disclosure

Incidents of unauthorized access or disclosures of PHI can occur in two ways – an authorized employee accesses PHI inappropriately, or an unauthorized party gains access to PHI. August 2022 seemed particularly careless as 10 incidents of unauthorized access or disclosure of PHI were reported. These incidents affected 1,398,595 patients, representing a troubling 37.6% of the breached records reported in August.

Entities affected by unauthorized access or disclosure:

• 4 business associates, 1,388,038 patients, 99.2% of patients affected by unauthorized access or disclosure
• 5 healthcare providers, 9,853 patients, 0.7% of patients affected by unauthorized access or disclosure 
• 1 health plan, 704 patients, less than 1% of patients affected by unauthorized access or disclosure

Types of unauthorized access or disclosure:

• 3 electronic medical records incidents, 1,363,804 patients, 97.6% of patients affected by unauthorized access or disclosure
• 4 email incidents, 21,217 patients, 1.5% of patients affected by unauthorized access or disclosure
• 2 paper/films incidents, 7,760 patients, 0.5% of patients affected by unauthorized access or disclosure
• 1 network server incident, 5,738 patients, 0.4% of patients affected by unauthorized access or disclosure

How to Prevent Unauthorized Access or Disclosure

As we mentioned, there are two ways in which unauthorized access or disclosures occur – inappropriate employee access or unauthorized access by another entity.

Policies and Procedures and Employee Training

HIPAA policies and procedures are essential to HIPAA compliance as they guide employees on what is appropriate. HIPAA requires employee use and disclosure of PHI to be limited to the minimum necessary to perform their job functions. Your policies and procedures should dictate this, and employees should be trained on the policies and procedures to be aware of their obligations. 

User Authentication, Access Controls, and Audit Controls

To ensure adherence to the minimum necessary standard, you must implement user authentication, access controls, and audit controls. User authentication provides unique login credentials for each employee, while access controls enable administrators to designate different PHI access levels using those unique login credentials. Also, based on the implementation of unique login credentials, audit controls track access to data to ensure that PHI is accessed appropriately by each employee.

August 2022 Healthcare Breaches and Other Causes

In August 2022, other types of breaches were reported to OCR that affected a total of 5,304 individuals, representing 0.1% of the breached records reported in August.

• 2 healthcare providers reported thefts of paper/films, 2,713 patients, 51.2% of the total patients affected by other causes
• 2 healthcare providers reported the loss of other electronic devices or unspecified loss, 2,592 patients, 48.8% of the total patients affected by other causes