While interesting and unusual HIPAA breaches happen, the most common HIPAA breaches in healthcare are still old fashion human error.
Since 2004, the Number One cause of breaches has been impermissible uses and disclosures. This can be anything from an email sent unencrypted to the wrong party, discharge papers or care instructions given to the wrong patient, or employee snooping (looking at records that they do not have a need to know).
A new, but an increasing type of unintended disclosure are social engineering attacks. In these situations, hackers send emails requesting information, a type of phishing. These emails manipulate individuals into divulging information which should not be disclosed. An example of this type of breach occurred when a healthcare organization experienced a foreign phishing attack which exposed nearly 20,000 pediatric patients’ information in employee email boxes. Employees had clicked on the phishing emails and either gave up credentials or launched malware into the network. These types of breaches increased NINE times in the past year!
Employee training is critical to contain this type of risk. Initial and on-going training is necessary to maintain employee vigilance on this type of issue. Hackers are working 24X7 to obtain confidential information…as a healthcare covered entity or business associate, you need to be on top of this!