Top HIPAA Violations / Health Data Breaches of 2022
For 27 years, the Healthcare Insurance Portability and Accountability Act (HIPAA) has served as the national standard for safeguarding health information. In a world where technology plays a crucial role in enhancing patient experiences, HIPAA compliance is essential for the healthcare industry to avoid penalties.
Sadly, HIPAA violations remain a persistent issue in healthcare. These breaches of protected health information (PHI) not only jeopardize the privacy of patient data, but they also occur when insufficient precautions are taken to protect sensitive information.
Year 2022 witnessed 595 healthcare breaches involving more than 40 million patients, reemphasizing that Healthcare organizations must prioritize HIPAA compliance to protect patient data and avoid costly penalties. In 2022, several HIPAA violation cases made headlines and served as a warning to all organizations handling protected health information (PHI). In this article, we’ll highlight the five biggest HIPAA violation cases of the year and what lessons can be learned from each.
Hospitals, medical centers, physician practices, healthcare providers, health plans, and business associates are all considered covered entities under HIPAA and can face penalties for non-compliance. The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) is responsible for enforcing HIPAA and can impose fines ranging from $100 to $50,000 based on various factors such as:
- Intent (civil vs. criminal penalties)
- Degree of negligence
- Involvement of a doctor
- Occurrence of a breach
- Number of records impacted
- Potential future risk due to the breach.
Stay ahead of HIPAA violations and the associated penalties by prioritizing compliance and ensuring the protection of patient data.
2022 Biggest HIPAA Violations Cases
It can take months and years for the OCR to discover and resolve both intentional and accidental HIPAA violation cases. Here are some of the largest healthcare data breaches of 2022:
OneTouch Point: A July ransomware attack impacting four million records
OneTouch Point provides marketing execution services to health insurance carriers and medical providers. This breach, which affected more than 30 health plans, occurred through a ransomware attack on the company’s printing and mailing vendor. Data compromised through the attack consisted of names, contact IDs and information procured during patient health assessments. When the breach was first reported by OneTouch Point, it was thought that only over one million individuals were impacted.
Eye Care Leaders: A hacking incident affecting approximately 3.6 million individuals
This North Carolina-based ophthalmology-specific EMR solution provider experienced a breach in which the attacker first gained access to the company’s systems and databases in December 2021 — weeks before the cyberattack. That access enabled the attacker to delete data and system configuration files. The company notified the at least 41 affected providers in March 2022, and each of those entities separately reported the breach. Eye Care Leaders is the subject of multiple lawsuits alleging that it concealed multiple ransomware attacks and related outages that began in March 2021.
Advocate Aurora Health: Impermissible disclosure of up to 3 million records
This breach that was reported in October 2022 is unique in that it involves third-party tracking pixels. The pixels from companies such as Google and Meta were utilized on Advocate’s websites, patient portals and applications to procure insight into the use of its patient-facing digital services. The problem? The tracking code transmitted patient information to its developers and resulted in the accidental disclosure of patients’ IP addresses, appointment dates, times and/or locations, proximity to Advocate Aurora Health locations, provider details, procedure types, insurance information and proxy names. Although the tracking pixels at the center of this breach have since been disabled, the company has been the subject of multiple patient-led class-action lawsuits due to the breach.
Connexin Software: A hacking incident impacting roughly 2.2 million individuals
In August 2022, this Wisconsin-based provider of an EHR solution for pediatric practices detected a breach of its network. In the incident, which affected approximately 120 pediatric physician practices, hackers accessed and exfiltrated an offline set of data used for data conversion and troubleshooting. That data set included names, Social Security numbers, health insurance information, billing and/or claims data and clinical information. The company notified OCR of the breach on November 11, 2022.
Shields Health Care Group: A hacking incident involving 2 million records
A third-party vendor that provides MRI, PET/CT and outpatient surgical services, Shields Health Care Group was the target of a March 2022 breach in which an unknown actor gained access to certain company systems and subsequently acquired data. According to the Massachusetts-based company, the breached data included full names, Social Security numbers, provider information, diagnoses, billing information, medical record numbers, patient IDs, dates of birth, addresses and treatment information. The breach, which impacted nearly 60 healthcare practices, was reported to OCR in May 2022.
These HIPAA violations highlight the threat to sensitive patient health information and the importance of implementing safeguards and data security measures. Healthcare organizations must ensure that they follow HIPAA compliance best practices for PHI, including encryption of sensitive data, regular data backups, and employee training on cybersecurity best practices.
By prioritizing data security and following best practices for HIPAA compliance, healthcare organizations can help prevent data breaches and protect sensitive patient information. Five Stars HIPAA Compliance team of experts has a deep understanding of HIPAA regulations and will work with you to ensure your organization is fully compliant. We offer comprehensive solutions that cover everything from risk assessments to staff training, and will provide ongoing support to ensure your compliance status is always up to date.