Big Breaches, Down in First Half of 2020, Show Role of BAs; Increase May Be Coming

By Theresa Defino

During the first six months of this year, 228 breaches affecting 500 or more individuals were reported to the HHS Office for Civil Rights (OCR), and of the top 20, five involved business associates (BAs), including the largest.[1]

If the second half of the year is like the first, the 2020 breach total could fall short of 2019’s record high of 511 breaches of this size posted on OCR’s so-called “Wall of Shame” website.

But whether the numbers truly reflect fewer breaches or are temporarily down, perhaps due to delayed reporting or the impact of the COVID-19 pandemic, is just a guess at this point.

If anything, some are predicting that the number of breaches may climb in the second half of the year. Covered entities (CEs) have 60 days from when a breach occurs to notify the agency, so the OCR website is always somewhat behind.

Experts have been warning for months that the “bad guys” are seizing on the chaos of the moment to strike, particularly through email hacks.[2] Indeed, of the top 20 breaches reported this year, based on number of affected individuals, all of them were the result of hacking/IT incident involving email, except three.

Still, the trend in recent years has been for smaller breaches, a somewhat relative term, and that has so far continued in 2020. It wasn’t unusual four or five years ago for a health plan, for example, to report a breach involving more than one million people. The big spike from 2014 to 2017 included Anthem and Premera Blue Cross, with 79 million and 11 million affected, respectively.

Last year saw a breach affecting 22 million individuals, partly attributed to Quest Diagnostics and LabCorp, due to a breach at their collection agency. That organization itself is a subcontractor and wasn’t responsible for reporting the breach to OCR. On OCR’s website, Quest’s BA Optum360 reported 11.5 million affected individuals related to this breach.

As of the end of June, however, there have been no breaches of this magnitude reported. The largest breach reported thus far in 2020 was Health Share of Oregon, and it also set the pace for the issue of BAs as a cause.

On Jan. 2, the health plan learned that a laptop containing the protected health information (PHI) of 654,362 individuals was stolen from GridWorks, which the plan described as its “non-emergent medical transportation” vendor. The laptop disappeared after a burglary in November 2019.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings