Children’s Mercy data breach isn’t an isolated incident. In healthcare, it’s an epidemic.

A  2015 study by Ponemon Institute found criminal attacks involving data breaches in healthcare rose 125 percent since 2010. According to the Office of Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA) regulations, there were 253 healthcare breaches in 2015 with a combined loss of over 112 million records. Data breaches involving protected health information (PHI) are not isolated incidents. In healthcare, data breaches are an epidemic, resulting in stiff fines levied by HIPAA, loss of protected health information, and damaged healthcare provider reputations.

Children’s Mercy Hospital of Kansas City is the latest victim of this epidemic. They recently experienced a data breach when the medical records of 238 children were stolen from an employee’s vehicle. Children’s Mercy immediately reported the theft to local police and notified patient families within the time limit allowed by HIPAA. All affected families will receive free identity theft protection for one year, and Children’s Mercy is reviewing its policies and procedures for any improvements to prevent future incidents. In a bit of good news, stolen records did not include financial data, insurance information or Social Security numbers.

We cite Children’s Mercy because its reputation in the Kansas City community and around the country is second to none. A data breach like this could be damaging to the hospital’s reputation if the incident isn’t managed correctly. By all accounts, Children’s Mercy has followed the requirements stipulated in the HIPAA Breach Notification Rule.

So why have data breaches like the one Children’s Mercy experienced reached epidemic proportions? Criminals want their ticket to riches, the protected health information inside every medical file. It has far greater value on the black market than records gained from identity theft. The healthcare provider is at risk of having PHI stolen, as well as the provider’s business associates who have access to PHI.

Criminals find medical records on laptops stolen from cars in hospital parking lots or, increasingly, the theft occurs online. Cyber threats are the 800-pound gorilla in the room. Is everyone alarmed? Not yet. According to the Ponemon study, only 40 percent of healthcare organizations are concerned about cyber attacks. HIPAA and the OCR are very concerned about protecting PHI. Fines levied for lost or stolen PHI records are startling, and the entities impacted read like a Who’s Who in Healthcare.

It begs the question. How can healthcare organizations give the same level of care and attention to patient’s information as they do treating patients?

The answer is in empowering healthcare compliance departments with a governance, risk and compliance (GRC) program with processes designed to help manage cybersecurity, comply with HIPAA requirements, perform third-party assessments with business associates, educate and train employees on best practices and more. Lockpath’s Manny Jones will lead a roundtable at the CIO Healthcare Exchange later this month on how GRC processes can bring automation and efficiencies to compliance and risk management programs.

The data breach at Children’s Mercy could happen at any healthcare organization in the country. The incentive to steal or commit fraud to obtain PHI is too strong. It’s time to empower compliance departments to fight back. Fighting back is what hospitals encourage patients to do. Now it’s healthcare organizations that need to discover their fighting spirit.

Related Articles