Home Health & Hospice Week

Learn from the biggest breaches of 2017.

From new Conditions of Participation to billing snafus to medical review threats under the Targeted Probe & Educate program, home care and hospice providers have a lot on their plates. That's why it may be tempting to let HIPAA security slide to the bottom of the priority list.

That's a move you'll regret, if it lands you on the HHS Office for Civil Rights' breach portal website, informally known as the "Wall of Shame."

More than 14.6 million individuals were impacted by reported HIPAA breaches last year, according to OCR's breach portal information. Of that large number, more than 75 were for violations that affected more than 10,000 patients per one incident.

Here are the statistics for the five largest losses of electronic protected health information (ePHI) due to HIPAAdata breach in 2017, including one by a home medical equipment provider:

1. Commonwealth Health Corporation. The multi-hospital group Med Center Health, which is part of Commonwealth Health Corporation, out of Bowling Green, Kentucky was listed on OCR's Wall of Shame on March 1, 2017. Reports suggest that a former employee stole the billing information of 697,800 individuals for personal use between 2011 and 2014.

2. Airway Oxygen Inc. A malware attack of the Grand Rapids, Michigan home medical equipment provider's systems left the ePHI of "approximately 550,000 current and past customers" exposed, noted the organization's breach notice. The cyber hijack happened on April 18, and the OCR added Airway to the portal on June 16, 2017.

3. Women's Health Care Group of Pennsylvania LLC. With 45 locations across Pennsylvania, the large healthcare organization discovered it was the victim of a ransomware attack impacting upward of 300,000 individuals' ePHI at one location after a virus was detected on a computer and server on May 16. Their group information made its way to the OCR portal on July 15, 2017.

4. Urology Austin PLLC. The Texas urology group suffered a ransomware attack that "encrypted the data stored on" its servers - 279,663 patients' ePHI was affected during the Jan. 22, 2017, incident. Its large-scale breach was uploaded by OCR on March 22, 2017.

5. Pacific Alliance Medical Center. The Los Angeles-based facility alerted authorities of a ransomware hack that impacted 266,123 individuals' ePHI in June of 2017.

Note: The OCR Breach Portal is at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.