This paper analyzes a 2015 data breach at a major university health system in the United States, exploring the causes, consequences, and organizational failures that led to the exposure of millions of patients' personal and medical information. The paper examines how inadequate encryption, delayed disclosure, and a lack of IT security culture contributed to both the breach and its aftermath, including a $7.5 million class action settlement. Drawing on HIPAA requirements and current research on healthcare data security, the paper offers practical recommendations for healthcare institutions seeking to prevent similar breaches, foster staff security awareness, and maintain patient trust through transparency and accountability.
As healthcare organizations know all too well, healthcare data breaches are occurring with alarming frequency. Yet just as malicious actors have more and more tools at their disposal, healthcare IT experts, managers, and providers also have more tools to guard against them. Online health records have significantly improved patient care through comprehensive, shareable documentation. In the wrong or inexpert hands, however, sharing that same data can harm rather than heal. "The frequency of healthcare data breaches, magnitude of exposed records, and financial losses due to breached records are increasing rapidly" (Seh, 2020, par. 1). Understanding how and why breaches have occurred in the past is essential to ensuring they do not occur at our institution in the future.
A compelling example of a recent data breach that ultimately resulted in legal action is the 2015 breach that occurred at one of the major university health systems in the United States. The health system's failure to undertake appropriate data encryption measures resulted in the exposure of user information — including Social Security numbers, health plan identification numbers, and personal medical and other identifying information — belonging to millions of patients (Adler, 2020). Patients were not made aware of this until months after the breach, further compounding the scandal.
The reasons for the Health Insurance Management Systems (HIMS) breach are familiar ones. First, the institution did not perform due diligence and encrypt its patient data (Firestone, 2020). Although inadequate encryption has been a factor in major data breaches at retail organizations such as Target, this breach also constituted a violation of the Health Insurance Portability and Accountability Act (HIPAA) (Firestone, 2020). Second, the organization was unwilling to admit its failures. As is often the case, the cover-up proved worse than the original error. When evidence of the institution's carelessness came to light, rather than being honest and transparent, the health system waited months before acknowledging that it had been well aware of the breach, thereby limiting the ability of affected patients to take protective steps — such as enrolling in credit monitoring — in a timely manner (Adler, 2020). This "circle the wagons" mentality may itself reflect an organizational culture that is reluctant to be candid about its weaknesses.
Third, there is evidence that healthcare institutions are particularly vulnerable to data breaches because internal misuse — rather than external intrusion — accounts for a disproportionate share of incidents. This pattern is relatively unique to the healthcare sector. Fourth, one reason insiders may be responsible is a general lack of technological familiarity among healthcare workers who are well versed in clinical technology but less so in data management and recording. In this case, inadequate precautions taken by healthcare personnel regarding IT security may have stemmed from an organizational priority placed on patient treatment operations rather than data governance.
The significance of healthcare data breaches is compounded by the sensitivity of the information stored in patient files. In this particular breach, patient privacy and information security were severely compromised. Social Security numbers, along with dates of birth, addresses, names, and Medicaid IDs — all stolen in the breach — can be used to damage individuals' credit, apply for mortgages or new credit cards, and obtain money fraudulently (Adler, 2019). Such information can also be sold to individuals wishing to conceal their identity, including persons in the country without legal status or those with criminal intent.
Beyond the risk to financial data, victims were also burdened with the practical difficulties of canceling credit cards and monitoring their credit. Even though free credit monitoring was offered, this still represented a significant investment of time and psychological energy. As patients of a healthcare institution, they had extended a substantial degree of trust to the organization. Having their privacy violated in an area of their lives they regard as deeply personal could be psychologically damaging even for individuals in good mental health — and many people with physical health conditions also contend with significant mental health challenges. The intersection of protected health information breaches and patient well-being is therefore a serious concern that extends well beyond financial harm.
"$7.5 million settlement follows inadequate leadership response"
"Encryption, staff training, and breach response planning"
According to HIPAA, protecting the data security and safety of patients is of paramount importance. By law, there is also a requirement to both report and categorize the type of breach of patient health information to the Department of Health and Human Services (Jiang & Bai, 2019). But healthcare institutions must go above and beyond minimum legal requirements to truly flourish. Taking accountability for mistakes and learning from the errors of other institutions are not optional — they are obligations. Only by investing meaningfully in security and treating it as an organizational priority can a healthcare institution genuinely earn and maintain patient trust.
You’re 57% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.