EMR Data Breaches: Are Your Clients at Risk?
Comperio Legal Services provides skilled attorneys the electronic medical record analysis and expert witnesses they need to win. To learn more about how this legislation impacts your case, schedule your FREE, no-obligation case consultation today.
“Data breaches and the release of personal health information results in legal action and a plethora of lawsuits.”
When used with appropriate attention to security, electronic medical records (EMRs) promise numerous benefits for quality clinical care and health-related research. However, when a security breach occurs, patients may face physical, emotional, and dignitary harm.
Although we live in a world where most lives are trusted in technology, EMRs produce potential hackers and threats eager to capitalize on personal and sensitive information that creates legal troubles.
So why are EMRs so valuable? Not only do medical records contain personal information such as name, address, and social security number, but they also contain eligibility information and health insurance identification numbers which could allow someone to fraudulently receive free medical care, including surgery, with compromised EMR data. Children’s records are also valuable to attackers because their lack of a credit report and bank account makes it difficult to monitor them for identity theft and it is possible for their identity to be exploited for years before it is uncovered.
According to IBM, a data breach is any security incident in which unauthorized parties gain access to sensitive data or confidential information, including personal data such as social security numbers, bank account numbers, and personal healthcare data as well as sensitive corporate data including customer data records, intellectual property, and financial information.
With nearly every hospital using an EMR system today, health IT security is a leading concern for healthcare organizations.
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that healthcare organizations publicly report all breaches of protected health information involving more than 500 patients to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
According to UpGuard, there were 642 reported data breaches involving more than five hundred medical records in 2020. In 2021, this number increased to 714 data breach reports involving five hundred or more medical records, an average of 1.95 data breach reports per day.
The average ransomware payments in 2022 were nearly $212,000, down 34% compared to $321,000 in 2021. Speculations are that hacker groups target smaller hospitals that often have poor cybersecurity measures in place and a higher likelihood of paying ransom demands. Bigger attacks also involve more law enforcement and larger investigations further putting smaller hospitals in the crosshairs.
In 2019, more than 85 percent of hospitals that were victims of ransomware attacks paid the required ransom. However, due to strong law enforcement recommendations not to pay the ransom, the number of hospitals that paid the ransom dropped to 46 percent in 2022.
In 2019, a study using data collected by the OCR and HHS showed over half of the population in the U.S. might have been affected by security breaches since 2009. The study provided an analysis of the data, presenting the number of individuals affected in one breach and the number of breaches. It is estimated that the medical records of at least 173 million people since October 2009 have been illegally obtained or accessed without proper authorization.
According to Health IT Security, Managed Care of North America (MCNA), a dental benefits administrator that provides services to Medicaid and CHIP programs across eight states, suffered a major healthcare data breach for a week back in February of this year when its systems were infected with malicious code. Further investigation revealed that an unauthorized party had accessed certain systems and removed copies of personal information. Almost 9 million people, including patients, parents, guardians, or guarantors, were affected by this incident.
Data breaches and the release of personal health information results in legal action and a plethora of lawsuits.
During a massive data breach caused by a hacker in 2016, Banner Health, one of the nation’s largest non-profit health systems, agreed to pay OCR $1.25 million in fines this past February. The breach disclosed the protected health information of 2.81 million consumers and the settlement was paid to resolve further potential Health Insurance Portability and Accountability Act (HIPAA) violations.
Attorneys should make sure to educate and counsel their clients who are either patients or medical professionals on the possibilities of EMR data breaches, and how to go about certain actions when faced with this crisis.
The act of cyberattacks may not affect everyone, but after viewing recent data it is a strong possibility that it can. Those who practice law in the field should be aware and stay on top of proper education.
There is currently no nationwide data privacy law that sets clear expectations for every entity type when it comes to data breaches. HIPAA-covered entities do have clear obligations under the HIPAA Breach Notification Rule, which requires them to notify impacted individuals of a breach within 60 days of discovery.
Covered entities must notify HHS of a healthcare data breach of any size, though they can report breaches impacting less than 500 individuals on an annual basis. HIPAA-covered entities can face lawsuits if they fail to notify impacted patients of a breach within the allotted timeframe.
We Help You Navigate
Do you have an expert understanding of the risk posed by the electronic medical records in your case? Discover the truth. Schedule your FREE, no-obligation case consultation today.
Stay up-to-date with the latest industry updates by signing up for Comperio’s monthly newsletter.