The HHS Office for Civil Rights (OCR) has announced plans to begin investigating smaller health care data breaches as cybercrime on the health care sector reaches an all-time high. Due to inadequate cybersecurity practices combined with the goldmine of valuable personal identifiable information (PII) stored in the networks of health care providers, cybercriminals have increasingly targeted healthcare organizations of all sizes with ransomware, network attacks, data theft and other forms of cybercrime. As cybercriminals begin targeting smaller organizations due to the lack of cybersecurity resources, OCR will begin devoting more time, money and energy investigating these smaller attacks. Previously, OCR’s regional offices have devoted resources to investigate reported breaches when 500 or more individuals’ PII has been compromised, but starting this month regional offices will begin investigating the “root causes” of incidents involving less than 500 victims.
When deciding which breaches to investigate, the office will “prioritize according to the size of the breach [or] whether any unencrypted PHI was stolen or improperly disposed of; any breaches involving unwanted incursions to IT systems (hacking, malware, phishing), and the nature and sensitivity of the data involved.” Additionally, OCR will pay particular attention to cases where multiple breach reports have similar characteristics. OCR hopes this will lead to better cybersecurity practices among health care organizations of all sizes, leading to better protection of patients’ confidential health information.