The following are three recent HIPAA data breaches, and what you can takeaway from each to better protect PHI:

#1

NewYork-Presbyterian Hospital (NYP) was fined $300,000 by the New York Attorney General for sharing patient information with third-party tech companies through tracking tools on its website. The hospital, operating 10 facilities in New York City, used the tools for marketing purposes from June 2016 to June 2022. The investigation found that NYP lacked proper internal policies to vet these tools, leading to unintentional data breaches affecting 54,000 individuals. NYP agreed to pay the fine, conduct regular audits of third-party tools and contract/privacy policy reviews, and instruct third parties to delete any received protected health information.

The Takeaway:

Healthcare providers need to be diligently protecting patients’ digital privacy. As breaches regarding these tracking pixels continue to make headlines, covered entities must ensure they are not employing any of these marketing tools which might compromise patient data. Any third party that uses or gains access to PHI must have an updated Business Associate Agreement in place with the entity providing the information.

#2

The CISA conducted a risk and vulnerability assessment (RVA) at a healthcare organization, revealing weaknesses in cybersecurity across the sector. The two-week penetration test identified issues such as misconfigurations and weak passwords, emphasizing the importance of internal network security. CISA issued an advisory with suggested mitigations.

The Takeaway:

Healthcare providers must be improving credential hygiene, following NIST guidelines, and implementing phishing-resistant multi-factor authentication to secure patient data. They should also implement network segmentation controls to further protect internal environments. 

#3

NYC Health + Hospitals issued a notice, as required by HIPAA, regarding the unauthorized disclosure of patients’ PHI. The incident occurred at NYC Health + Hospitals/Kings County when a hospital employee allowed an unauthorized volunteer access to the laboratory between October 2, 2021, and August 14, 2023. The disclosed PHI includes names, dates of birth, medical record numbers, hospital locations, and laboratory test details.

The Takeaway:

Employees of healthcare providers must receive complete HIPAA compliance training to equip them to effectively protect patient data. Organizations that implement robust training programs see fewer cases of employee mishandling of information. If you need HIPAA training for your employees, you can check out the newly updated Medcurity HIPAA Compliance Training module.

If you have questions about how Medcurity brings clarity and confidence to HIPAA compliance for covered entities, reach out to our team!