Data Breaches at Hospitals Demonstrate Industry Vulnerability

F.J. Thomas, Nancy Grover

Kalispell, MT ( – Within the last week, hospitals in Montana and Texas were hit with data breaches that included patient information.

The Flathead Beacon in Montana reported that Kalispell Regional Healthcare (KRH) is notifying 130,000 patients that their personal information may have been compromised. According to a news release on the company’s website, KRH had been named in the “top quartile for data security readiness” for their efforts in securing electronic healthcare information. However, in August, the hospital discovered that employees had inadvertently given out their KRH login credentials in response to a phishing email. The emails may have started as early as May. Upon discovery, KRH immediately reported the issue to federal law enforcement who launched an investigation with a digital forensics firm to determine what information may have been released in the breach.

A report on Tuesday by the Star Telegram stated that Texas Health recently had a data breach as well. The Texas Health incident was discovered in August and impacted approximately 82,000 patients that had procedures or services from July to September. According to the report, a system configuration error in the practice management system had caused patient information to be routed inappropriately. While the information included patient name, account numbers, and procedure information, the healthcare group states that social security numbers and financial information was not disclosed, and that it did not appear any information had been used inappropriately. The breach impacted several hospitals and numerous jointly-owned healthcare offices in the area.

According to HIPAA Journal information, since 2009 there have been 2,545 data breaches that have involved 194,853,404 healthcare records. Per the Flathead Beacon report, just in the last 90 days there have been healthcare data breaches at 23 hospitals in 19 states.

The breaches point out the need for organizations to be ever cognizant of potential attacks.

“As the healthcare industry continues to innovate service offerings, increase access to data, and create operational efficiencies using advanced technology, there’s an increasing risk from cybercriminals who work tirelessly to evolve techniques that challenge our defenses,” stated OneCall in its white paper, Healthcare Under Attack. “This constant threat of cyberattacks and security incidents has a direct impact on the workers’ compensation industry — it is a reminder that preparation and constant vigilance are the only defenses at our disposal to ensure our information is safe and protected.”

Human error causes more than one-quarter of data breaches, the company reports. Workers may click on links they believe are legitimate, or respond to unsafe external inquiries.
“Educating employees on how to identify red flags and report potential threats can immediately reduce the risk and costs associated with a breach,” the company states. “In fact, the … study points out that education programs can reduce the cost of a breach by up to $9 per record.”
The paper points out several additional ways organizations can better protect themselves against cyber attacks and save money.

Prepare. “Studies show having a ready-to-go incident response plan and investigation team can reduce the cost of a breach by $14 per record,” it states. “Your team should be ready to quickly identify, report and respond to a problem. This can shorten the time of a data breach and assist crisis management personnel with communication to impacted stakeholders.”

Act quickly. Time is of the essence in identifying a potential breach. “Statistics show companies that identify a breach in less than 100 days can save up to $1 million in post-data breach costs,” the company reports.
Eliminate old data. “Old data is bad data that collects rapidly if not destroyed when no longer needed,” the report says. “If maintained on your system, it also makes you vulnerable to an attack, even if you are not using it.” Companies that destroy old data can reduce costs of a breach by more than $5 per record.

“An attacker only needs to be right one time to cause havoc, which means companies have to be right every time in order to prevent a security breach,” the report concludes. “This may seem like a tall order, but with the right preparation, education and monitoring, you can thrive in this rapidly changing technology-driven environment.”

News brought to you by