Data Privacy Concerns in the U.S. Healthcare Sector
- Data Bleed, Health
- 07/10/2024
- Author: Ryzhova Marianna, LLM, Legal Studies Università di Bologna
What links an individual with a rare disease to someone suffering from a common cold? The answer is plain and simple – the need for proper healthcare.
Every day, millions of people visit private clinics and hospitals seeking various forms of care, whether for intoxication, injury, a common cold, diabetes, or mental illness. For example, in 2022, there were more than 33.7 million hospital admissions in the United States.
Considering these numbers, it becomes challenging to even grasp the sheer volume of personal data that must be processed, shared, and transferred for various purposes daily. As a consequence, millions of patients are at risk, as their personal data may be easily stolen or sold.
To avoid such a scenario, in 1996, the US Department of Health and Human Services (HHS) designed the Health Insurance Portability and Accountability Act (HIPAA) to facilitate health insurance reform, implement standards for the transfer of health data, and protect the privacy of healthcare consumers. In 2020, HHS published a final Privacy Rule that serves as a framework that enforces HIPAA’s goal of protecting health data.
The Privacy Rule (45 CFR Parts 160 and 164) governs the use and disclosure of individually identifiable health information, referred to as protected health information (PHI), by entities subject to the Rule, known as covered entities.
What does this term include?
📎 Health plans – individual and group plans that provide or pay the cost of medical care are covered entities. Health plans may include health, dental, vision, and prescription drug insurers, health maintenance organizations, etc.
📎 Healthcare clearinghouses – entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.
📎 Health care providers – every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions.
Privacy Rule in brief
The Privacy Rule safeguards all protected health information (PHI) that is transmitted or maintained in any form or medium—such as electronic, paper, or oral—by a covered entity or its business associates. The Rule mandates appropriate safeguards to protect the privacy of PHI and imposes restrictions on its use and disclosure without an individual’s consent. Additionally, the Rule grants individuals rights over their PHI, including the ability to examine and obtain a copy of their health records and to request corrections.
Data Breaches & Penalties
There are two types of penalties for data breaches under HIPAA: civil and criminal.
The Final Rule adopted in 2006 by the HHS empowers the Office for Civil Rights to impose civil money penalties on covered entities that do not comply with HIPAA Rules.
The financial penalties for HIPAA violations were revised by the HIPAA Omnibus Rule 2013, which aligned them with the Health Information Technology for Economic and Clinical Health Act (HITECH).
Civil Penalties (HITECH Act)
Civil penalties for HIPAA violations are typically imposed when the offender was unaware they were violating the law. The severity of the penalty depends on the level of negligence involved:
- Unawareness of Violation: A minimum fine of $100 per violation, with a maximum annual penalty of $25,000 for repeated violations.
- Reasonable Cause: A minimum fine of $1,000 per violation (without “willful neglect”), with a maximum annual penalty of $100,000.
- Willful Neglect (Corrected): A minimum fine of $10,000 per violation if the issue is addressed promptly, with a maximum annual penalty of $250,000.
- Willful Neglect (Not Corrected): A minimum fine of $50,000 per violation if the issue is not corrected, with a maximum annual penalty of $1.5 million.
Criminal Penalties (42 USC 1320d-6)
Criminal violations of HIPAA are handled by the Department of Justice (DOJ) that has the authority to impose criminal penalties. Similar to civil penalties, criminal penalties are structured into different levels based on the severity of the offense:
- Tier 1: Deliberate unauthorized access or disclosure of PHI — punishable by up to 1 year in jail and a $50,000 fine.
- Tier 2: Obtaining PHI under false pretenses — punishable by up to 5 years in jail and a $100,000 fine.
- Tier 3: Using PHI for personal gain or with malicious intent — punishable by up to 10 years in jail and a $250,000 fine.
Case Overview
Let’s consider some of the biggest healthcare breaches that were reported to OCR in 2023 and 2024:
A. Banner Health
In 2023, Banner Health, a large non-profit health system, agreed to a $1.25 million settlement with the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services over alleged HIPAA violations following a 2016 data breach. This breach compromised the PHI of 2.81 million individuals, including sensitive details such as Social Security numbers and diagnoses. The OCR found that Banner Health had failed to conduct adequate risk analysis and implement sufficient safeguards to protect electronic PHI (ePHI). The health system lacked proper procedures for verifying the identity of those accessing ePHI and securing data against unauthorized access.
The settlement included a corrective action plan requiring a comprehensive risk analysis, risk management strategy, and enhanced security procedures, with OCR monitoring compliance for two years. This case highlights the practical necessity for healthcare providers to conduct thorough and precise risk assessments to identify vulnerabilities related to PHI. Continuous activity monitoring is essential for early detection of unauthorized access, and equally important is the implementation of mechanisms to accurately verify the identity of individuals seeking access to ePHI. These measures underscore the critical need to safeguard patient data and maintain HIPAA compliance.”
B. A. Care Health Plan
“In September 2023, L.A. Care Health Plan, the largest publicly operated health plan in the U.S., settled with the OCR for $1.3 million due to multiple violations of HIPAA Privacy and Security Rules. The violations arose from unauthorized disclosures of PHI, including access issues via the member portal and mailing errors affecting 1,498 members.
Key failures identified by the OCR included inadequate risk assessments, insufficient security measures, failure to review system activities regularly, and improper responses to changes affecting ePHI security. The unauthorized disclosure of PHI also violated HIPAA privacy rules. Consequently, recommended actions include conducting comprehensive risk assessments from the outset. Organizations should implement security measures that address identified risks and consistently monitor system activities. Regular evaluations of both technical and non-technical safeguards are necessary, particularly after operational changes. Mechanisms for monitoring and logging ePHI system activities should be in place. Finally, any HIPAA violations must be reported promptly, and systemic compliance issues addressed swiftly to prevent future breaches.
Now, moving forward with the data breach cases of 2024, it is important to point out that, as per the HIPAA Healthcare Breach Report, 387 data breaches of 500 or more records were reported to OCR in 2024. This figure marks an 8.4% increase from H1, 2023.
A. Concentra
In January 2024, Concentra confirmed that a cyberattack on its transcription service provider, PJ&A, compromised the protected health information of nearly 4 million patients, raising the total number of affected individuals to over 14 million. Concentra reported that the compromised information included full names, dates of birth, addresses, medical record numbers, hospital account numbers, admission diagnoses, and service dates. Some individuals may also have had their Social Security numbers, insurance details, and clinical information, such as lab results, medications, and healthcare provider names, compromised.
Dozens of lawsuits have been filed against PJ&A, accusing the company of negligence for failing to implement reasonable and appropriate cybersecurity measures to protect the sensitive health data entrusted to it by clients. These essential measures, such as network segmentation and encryption, were allegedly absent, leaving critical information vulnerable to unauthorized access. The delayed notification to affected individuals compounded the situation, heightening the risk of identity theft and fraud.
In these regards, best cybersecurity practices include not only encryption and network segmentation but also conducting regular audits and providing comprehensive staff training on data protection. Moreover, an effective incident response should ensure the prompt notification of affected individuals to mitigate potential harm.
B. Integris Health
In late 2023, Integris Health, a nonprofit healthcare system in Oklahoma, suffered a major cyberattack that exposed the personal data of approximately 2.39 million individuals, including names, Social Security numbers, and contact information. The hackers threatened to sell the compromised patient data on the dark web unless a ransom was paid. Integris Health faced criticism for its delayed transparency and failure to promptly offer identity theft protection. Consequently, the organization was forced to release an update, which it presented as a precautionary measure. However, such disclosures are mandated by law under HIPAA and the HITECH Act.
Multiple class action lawsuits have since been filed against Integris Health, accusing it of negligence for failing to implement adequate cybersecurity measures, despite known risks of such attacks. Plaintiffs argue that the organization’s lack of transparency further exacerbated the situation, limiting the potential for affected individuals to protect themselves from fraud. These lawsuits seek compensatory damages and injunctive relief, with claims likely to be consolidated due to their similar factual basis. The situation highlights the critical need for robust cybersecurity in healthcare and timely, transparent responses in the event of a breach.
To sum it up
Although the official penalties for data breaches that occurred in 2024 have not yet been published, it is clear that the companies involved will face substantial financial repercussions for the damage they have caused to millions of patients due to their negligence and failure to perform adequate periodic evaluations of respective safeguards.
Taking into account the steady year-by-year increase in the frequency of cyberattacks in the American healthcare sector and the case study, it is evident that healthcare providers face a growing risk of compromising patient privacy. This situation should raise significant concerns and compel these organizations to recognize that privacy by design and default is the bare minimum, not to mention continuous monitoring and regular audits that have to be performed as preventive action for maintaining security. Organizations’ negligence is the root of numerous privacy violations, therefore its elimination should be a top priority for the healthcare sector.
Contact us
Fill in the form and we will contact you as soon as possible!