Report: Healthcare Organizations Struggle with Human Error in Securing PHI | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Healthcare Organizations Struggle with Human Error in Securing PHI

October 19, 2017
by Heather Landi
| Reprints

In the first nine months of 2017, unintended disclosure accounted for 41 percent of healthcare data breach incidents, according to a report from specialist insurer Beazley. The high level of unintended disclosure incidents remains more than double that of the second most frequent cause of loss, hack or malware (19 percent), the report states. 

Beazley’s quarterly breach insights report examines the major causes of data breaches reported by healthcare insureds in the first nine months of 2017. “Whether it is an email containing protected health information (PHI) sent to the wrong recipient, discharge instructions given to the wrong patient, or a server containing PHI accidentally left open to the public, healthcare entities continue to struggle with human error on a regular basis,” the report authors wrote.

What’s more, unintended disclosure incidents are a persistent threat and expose organizations to greater risks of regulatory sanctions and financial penalties. Yet, the report authors note, unintended disclosures can be much more easily controlled and mitigated than external threats, which underscores why healthcare organizations shouldn’t ignore this significant risk and should invest time and resources towards employee training.

As noted, 19 percent of data breaches were caused by hack or malware. What’s more, the report found that 15 percent of healthcare data breaches were caused by insiders, 8 percent were caused by a physical loss, 6 percent were attributed to a portable device and 3 percent were attributed to social engineering.

While insider incidents only accounted for 15 percent of breach incidents, healthcare insureds have reported more insider incidents thus far in 2017 compared to 2016. Insider incidents accounted for 12 percent of healthcare incidents in 2016. Typically, insider incidents involve an employee viewing patient records without a work-related reason to do so, perhaps looking at a celebrity patient’s record or the record of an ex-spouse or neighbor. These “employee snooping” incidents are usually discovered y audits run on the electronic medical records system or by another employee or patient reporting the suspected snooping.

The report authors note, “It is unclear what has led to the increase in insider incidents in healthcare, but what is clear is that increased employee vigilance and auditing will help organizations identify such behavior early on, reducing the number of affected patients and hopefully lessening the likelihood of regulatory inquiry.”

Another noticeable trend across all industries in 2017 is the nine-fold increase in social engineering attacks. A social engineering attack occurs when a hacker uses deception to manipulate individuals into divulging confidential or personal information.

The report also notes that there has been a marked increase in the number of Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforcement activities in recent years. As the number of investigations and resolution agreements have increased, so too has the average settlement payment.

The combined total of 13 resolution agreements in 2014 and 2015 saw settlement amounts ranging from $125,000 to $3.5 million (an approximate average of $1 million each), the report notes. In 2016, there were about 13 resolution agreements and so far in 2017 there have been nine. The 2016 and 2017 resolution agreement settlements range from $31,000 to $5.5 million (an average of $1.8M million each), according to the report.

The report authors also note that there may be two reasons for the increase in enforcement activities--OCR has more resources at its disposal and has far less patience for HIPAA non-compliance, and OCR representatives have also expressed frustration at entities’ failure to comply with HIPAA’s privacy and security rules, which have been on the books since 2003 and 2005, respectively.

Healthcare organizations should also be aware that when they report a breach, it opens the door for OCR to investigate the entity’s basic HIPAA compliance, the report authors note. The investigation in turn can lead to corrective action plans and settlements. Typically, it takes three to six years from the time the breach was first reported to OCR to resolution, imposing a long-term drain on managerial resources as well as finances.

“But with the increase in OCR’s resolution agreements, a trend of OCR’s hot button issues has emerged. Organizations should review previous resolution agreements (all of which are available on OCR’s website) and familiarize themselves with what OCR considers to be best practices, such as: device encryption; workforce education and training; updating of policies and procedures; the elimination of old data; security risk assessments; risk mitigation plans; vendor management and using the minimum amount of PHI.

Katherine Keefe, global head of Beazley Breach Response Services, said in a statement, “All organizations face the reality that data breaches have become inevitable. And the stakes are high: they hold personal data on trust for customers, employees and patients. The volume of protected health information maintained by healthcare organizations and the digitization of electronic health records have increased the vulnerability for large breaches. It is important to understand the underlying causes so as to mitigate and manage them effectively.”



Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Survey: Infrastructure, Interoperability Key Barriers to Global HIT Development

A new survey report from Black Book Research on global healthcare IT adoption and records systems connectivity finds nations in various phases of regional electronic health record (EHR) adoption. The survey results also reveal rapidly advancing opportunities for U.S.-based and local technology vendors.

Penn Medicine Opens Up Telehealth Hub

Philadelphia-based Penn Medicine has opened its Center for Connected Care to centralize the health system’s telemedicine activities.

Roche to Pay $1.9B for Flatiron Health

Switzerland-based pharmaceutical company Roche has agreed to pay $1.9 billion to buy New York-based Flatiron Health Inc., which has both an oncology EHR and data analytics platform.

Financial Exec Survey: Interoperability Key Obstacle to Value-Based Payment Models

Momentum continues to grow for value-based care as nearly three-quarters of healthcare executives report their organizations have achieved positive financial results from value-based payment programs, to date, according to a new study from the Healthcare Financial Management Association (HFMA).

Cerner, Children's National to Help UAE Pediatric Center with Health IT

Al Jalila Children's Specialty Hospital, the only pediatric hospital in the United Arab Emirates, has entered into an agreement with Washington, D.C.-based Children's National Health System to form a health IT strategic partnership.

Telemedicine Association Names New CEO

The American Telemedicine Association (ATA) has named Ann Mond Johnson its new CEO, replacing Jon Linkous who stepped down suddenly last August after 24 years as the organization’s CEO.