The Alarming Toll of HIPAA Breaches: Over 41 Million Individuals Affected in 2022

Each year, the Health and Human Services Office for Civil Rights (OCR) composes detailed reports on HIPAA compliance and breaches of unsecured Protected Health Information (PHI) and delivers them to Congress. The latest report is that of events from the 2022 calendar year. These reports can teach us about weaknesses in the HIPAA policies and procedures of other entities, the most common types of threats from malicious actors, and help educate staff on identifying vulnerabilities in the pharmacy’s safeguards during their next Risk Analysis.

Here are a few of the key takeaways from the 2022 Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance:

There was a 17% increase in the number of HIPAA complaints received from 2018 to 2022
There was a 107% increase in the number of large breaches reported from 2018 to 2022
OCR was able to resolve 87% of the complaints before initiating an investigation; pre-investigation closures could have resulted because:
- The complaint was against an entity not covered by the HIPAA Rules
- Allegations were about conduct that did not violate the HIPAA Rules
- Complaints were untimely because they were not filed within 180 days of when the individual submitting the complaint knew or should have known about the act or omission that was the subject of their complaint
OCR completed 846 compliance reviews, of which 80% of the entities had to take corrective action or pay a civil money penalty
- OCR may open a compliance review investigation “based on an event or incident brought to OCR’s attention, such as through the media, referrals from other agencies, or based upon patterns identified through multiple complaints alleging the same or similar violations against the same entity”
- OCR initiated 676 compliance reviews that did not arise from complaints but were instead initiated by OCR after a breach report was filed. Of that 626 of these stemmed from breach reports affecting 500 or more individuals, 2 were from breach reports affecting less than 500 individuals, and 48 were brought to OCR’s attention by other means

The 2022 Annual Report to Congress on Breaches of Unsecured Protected Health Information had several key takeaways as well:

OCR received 626 notifications of breaches affecting 500 or more individuals
- The total number of individuals affected by those breaches was approximately 41.7 million
- 68% of these breaches were from health care providers, 19% from business associates, 13% from health plans, and <1% from health care clearinghouses
- 74% of these breaches were reportedly due to hacking/IT incident of electronic equipment or a network service, 19% from unauthorized access or disclosure of records, 4% theft, <1% from a loss of electronic media or paper records containing PHI, and <1% was from improper disposal
- The PHI was most commonly from network servers (58%), but also from email (22%), paper records (6%), electronic medical records (6%), desktop computer (4%), other portable electronic devices (3%), laptop computer (2%), and other (<1%)
The largest breach in 2022 was an incident where hackers utilized ransomware to compromise the servers of a healthcare provider with PHI on them, which affected over 3.3 million individuals
Other hacking/IT incidents included the use of malware, phishing, and the posting of PHI to public websites
Remedial actions often included:
- Implementing multi-factor authentication for remote access
- Revising policies and procedures
- Training/retraining staff that handle PHI
- Adopting encryption technologies
- Imposing sanctions on workforce members who violated policies and procedures regarding the proper handling of PHI
- Performing a new risk analysis

According to OCR, “There is a continued need for regulated entities to improve compliance with HIPAA Rules. In particular, the Security Rule standards and implementation of specifications of risk analysis, risk management, information system activity review, audit controls, response and reporting, and person or entity authentication were areas identified as needing improvement in 2022 OCR breach investigations.”

If you are not sure where to start, contact PAAS National^® (608) 873-1342 for more information on PAAS’ FWA/HIPAA Compliance Program that is easy to set-up, web-based and customized for your pharmacy.

Author
Recent Posts

Sara Hathaway, PharmD

Analyst at PAAS National^®

After graduating from UW-Madison's School of Pharmacy with my PharmD, I spent my first eight years at an independent pharmacy dividing my time between both retail and long-term care. I fell in love with the independent pharmacy world and joined the PAAS team to help independents not only survive, but thrive.

I enjoy assisting pharmacy staff both pre- and post-audit and enjoy providing them with knowledge and tools to decrease audit risk going forward. I write articles for Third-Party Newsline each month and answer member questions daily. I look forward to building professional relationships with each of our members and assisting you with your next audit.

Latest posts by Sara Hathaway, PharmD (see all)

Audit Preparedness in Long-Term Care Claims: Implementing Proactive Measures - May 14, 2024
The Alarming Toll of HIPAA Breaches: Over 41 Million Individuals Affected in 2022 - May 10, 2024
Why Do You Need a HIPAA Risk Analysis? Ask Change Healthcare… - May 4, 2024