Over 33 Million Patients’ PHI Breached This Year Already—WHY?

To date, in 2019, the personal information of more than 33 million patients has been stolen in the 10 largest healthcare data breaches

• • •

The information stolen includes Social Security numbers, birthdates, medical information, demographics, etc. As we are just entering the fourth quarter of 2019, we’ll see the number of breaches continue to grow.

Why are breaches allowed to happen? On the surface, a breach looks like an IT problem. It’s easy to say, “We just need to strengthen our security” to fix the problem. But, as we look into the problems that allowed hackers into databases, we see that human error is causing the mistakes that initiated the breaches. Likewise, human error failed to catch the mistakes and/or failed to mitigate the consequences of breaches.

Here are some examples of how human error allowed hackers to breach the databases:

-One organization had multiple employees respond to phishing emails that initiated the breach.

-A patient did an internet search for his name and found his PHI (Protected Health Information) on the internet. It was discovered that an employee of the organization made a mistake which allowed internal files to become publicly accessible three weeks prior to the patient discovering the compromised security of his information.

-Another organization didn’t notify its patients of a breach for eight months. “The HIPAA Breach Notification Rule requires covered entities to notify affected individuals; HHS; and, in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery” (www.CMS.gov). That decision failed to mitigate the consequences of the incident.

–The database of a facility put out an internal alert that revealed a nine-year hack. An unauthorized entity had access to its patients’ PHI, and nothing caught it for nine years.

So again, it’s easy to see that human error caused the mistakes that initiated, failed to catch, and/or failed to mitigate the consequences of the data breaches, causing organizations and patients to spend untold resources in fixing the problems caused by the breaches.

In TapRooT® Root Cause Analysis Training, we teach how to investigate and line up the sequence of events and the conditions surrounding those events so the mistakes caused by human error can be identified and taken through our proprietary root cause analysis system. The TapRooT® System gives investigators expert guidance through all areas of human performance. We can’t fix people. And, people aren’t robots. Any one of us will become distracted at some point in our jobs; we will be tired; we will get confused when we monitor multiple displays or have multiple controls we need to work; we won’t communicate effectively at times, etc.

The value in TapRooT® lies in the expert guidance our tools give investigators to find the right information

We, as investigators, can then arrive at and fix the underlying root causes that, unchecked, would have allowed the mistakes we make to reach a patient or to have a bad outcome. Root causes are fixable, unlike people. They are simply an absence of best practices or knowledge currently not in the systems or processes we use. The TapRooT® Corrective Action Helper@ gives investigators the knowledge and best practices to fix the root causes we uncover in our systems or processes. It is a comprehensive process improvement methodology.

If you would like to learn more, we offer a webinar that explains the TapRooT® methodology, evidence collection tools, and software capabilities. I’d be delighted to connect you with the webinar; please contact me at marcus@taproot.com.