What happened with the largest HIPAA breach so far in 2022?
Shields Health Care Group, Inc. has recently notified the media per HIPAA compliance that they have been subject to a data breach of their and partner facilities’ patient data. It is being reported that this breach has affected more than two million patients from nearly 60 healthcare providers. This is the largest HIPAA data breach of 2022 with the breach occurring from March 7 through March 21. This could have been avoided with proper security deployment and best practices in place. An IT security team or an IT consultant providing an audit should have caught and prevented this breach.
Shields Health Care Group provides services such as MRI, PET/CT, and outpatient surgical services for their covered entities. In the notice of data security incident, Shields Health Care Group goes into a few details such as dates, that it is an unknown actor, and that they have repaired their systems and continue to work on ensuring their security levels. There isn’t too much information on the breach itself, but Secure Packet will continue to monitor the situation as these types of breaches are usually a great learning experience for the entire industry, or possibly there was a failure in best practices. It is not determined how the bad actor gained access to the information that was released from the Shield Health Care Group.
The type of data accessed is, “…the type of information that was or may have been impacted could include one or more of the following: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information. Shields review of the impacted data is ongoing.” The most interesting part of this data breach is that this group has partnerships with the Boston Celtics, New England Patriots, Boston Bruins, and the New England Revolution. Depending on the retention policy in place by the medical groups, this potentially means that the likes of Tom Brady, Jayson Tatum, Rob Gronkowski, and more have had their medical and personal information exposed. This level and quantity of professional sports athletes’ data will certainly bring high value on the black market.
It is too early to tell if there will be a fine or not since the fine takes all aspects of the breach into account. With last year having a single HIPAA fine costing Lifetime Healthcare Companies a sum of $5,100,000 due to a data breach of over 9.3 million people, this breach with Shields has the potential to hit 7 figures in terms of a HIPAA penalty.
HIPAA data breaches are on the rise with the current situation with COVID-19 and the number of remote workers outside of the normally contained medical work environment. Billing, HR, consultants, and any other non-critical part of the workforce are usually now working remotely which can cause serious hurdles to HIPAA compliance. Following and auditing industry-wide best practices are a must to ensure this type of data breach doesn’t happen to you and your company. The amount of health data available in these files has become one of the most valuable types of records on the black market since it has both health information that a foreign nation can utilize for their own gains along with personal information like social security numbers so bad actors can use to take out loans, credit cards, and more.
If you have any questions or concerns with your HIPAA compliance or best practices around HIPAA compliance, please reach out to Secure Packet today. Secure Packet specializes in HIPAA compliance in on-premise, hybrid cloud, private cloud, and public cloud environments. These types of data breaches are usually avoidable with the proper precautions and best practices.
Affected Facility Partners:
| *Facilities / Entity |
| Baystate Health Urgent Care, LLC |
| Baystate MRI & Imaging Center, LLC |
| Brighton Imaging Center, LLC |
| Cape Cod CT Services, LLC |
| Cape Cod Imaging Services, LLC (a business associate to Falmouth Hospital Association, Inc) |
| Cape Cod PET/CT Services, LLC |
| Cape Cod Radiation Therapy Service, LLC |
| Central Maine Medical Center |
| Emerson Hospital |
| Fall River/New Bedford Regional MRI Limited Partnership |
| Falmouth Hospital Association, Inc. |
| Franklin MRI Center, LLC |
| Lahey Clinic MRI Services, LLC |
| Massachusetts Bay MRI Limited Partnership |
| Mercy Imaging, Inc. |
| MRI/CT of Providence, LLC |
| Newton-Wellesley MRI Limited Partnership |
| NW Imaging Management Company, LLC (a business associate to Newton Wellesley Orthopedic Associates, Inc.) |
| Newton-Wellesley Imaging, PC |
| Newton Wellesley Orthopedic Associates, Inc. |
| Northern MASS MRI Services, Inc. |
| PET-CT Services by Tufts Medical Center and Shields, LLC |
| Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a business associate SportsMedicine Atlantic Orthopaedics P.A.) |
| Shields CT of Brockton, LLC |
| Shields Imaging at Anna Jaques Hospital, LLC |
| Shields Healthcare of Cambridge, Inc. |
| Shields Imaging at University Hospital, LLC |
| Shields Imaging at York Hospital, LLC |
| Shields Imaging Management at Emerson Hospital, LLC (a business associate to Emerson Hospital) |
| Shields Imaging of Eastern Mass, LLC |
| Shields Imaging of Lowell General Hospital, LLC |
| Shields Imaging of Portsmouth, LLC |
| Shields Imaging with Central Maine Health, LLC (a business associate to Central Maine Medical Center) |
| Shields Management Company, Inc. |
| Shields MRI & Imaging Center of Cape Cod, LLC |
| Shields MRI of Framingham, LLC |
| Shields PET/CT at CMMC, LLC |
| Shields PET_CT at Berkshire Medical Center, LLC |
| Shields PET-CT at Cooley Dickinson Hospital, LLC |
| Shields PET-CT at Emerson Hospital, LLC |
| Shields Radiology Associates, PC |
| Shields Signature Imaging, LLC |
| Shields Sturdy PET-CT, LLC |
| Shields-Tufts Medical Center Imaging Management, LLC (a business associate to Tufts Medical Center, Inc.) |
| South Shore Regional MRI Limited Partnership |
| Southeastern Massachusetts Regional MRI Limited Partnership |
| SportsMedicine Atlantic Orthopaedics P.A. |
| Tufts Medical Center, Inc. |
| UMass Memorial HealthAlliance MRI Center, LLC |
| UMass Memorial MRI – Marlborough, LLC |
| UMass Memorial MRI & Imaging Center, LLC |
| Winchester Hospital / Shields MRI, LLC |
| Radiation Therapy of Southeastern Massachusetts, LLC |
| Radiation Therapy of Winchester, LLC |
| South Suburban Oncology Center Limited Partnership |
| Shields Imaging of North Shore, LLC |
REFERENCES:
Notice of Data Security Incident – Shields Health Care Group