In July 2022, the anesthesia management conglomerate Somnia, Inc. reported a data breach (1). According to reports, more than 20 affiliated anesthesia practices suffered security and privacy violations (1). As a result, confidential data from more than 400,000 patients — including Social Security numbers, diagnosis and treatment information, financial account details, names, and dates of birth — across the United States were compromised (2). While details remain unknown, Somnia confirmed that the breach occurred as a result of data exfiltration committed by an unidentified third party (3). Fearing that their data would be used to file fraudulent tax returns, open unauthorized bank accounts, or commit identity theft, former patients of the affiliated practices filed five class action lawsuits against Somnia as they continue to suffer from the consequences of the breach of their privacy (2). The Somnia incident represents just one example of the growing prevalence of health data breaches, which have affected anesthesia practices as well as others.
In 2009, in response to numerous major privacy incidents, the United States Department of Health and Human Services created the Breach Portal, a publicly available online record of health data breaches known in the medical field as “the wall of shame” (4). Since its introduction, more than 5,000 privacy and security breaches have been recorded, with a total of 369 million affected patients (4). Each of these incidents stems from one of two causes: unintentional exposure, such as storing confidential data in a non-secure location or sending files to the incorrect recipient; and data exfiltration or “hacks,” such as phishing and ransomware schemes (5). Hacking caused less than half of the reported cases, but accounts for more than 83% of compromised patients (4). Like hacking incidents in other fields, financial motivation was the most common motive; however, incidents involved insiders 25% more often than in other fields, with medical professionals such as doctors and nurses 14 times more likely to be involved, likely because these individuals are often untrained in data privacy and can become victims of phishing and malware schemes (6). Business associates, such as anesthesia management company Somnia, are also commonly targeted, and attacks on these third parties composed approximately one third of reported targeted healthcare data breaches (4).
To prevent data breaches, anesthesia practices should abide by expert security recommendations, including monitoring, restricting, and updating security measures (7). For example, healthcare firms should conduct annual security audits to assess the risk of leaking HIPAA information, limiting the access to confidential information on personal devices, and educating healthcare providers on data protection by informing them of the types of data breaches, data security methods, and appropriate file storage (7). Healthcare practices should also create an incident response plan to use in the event of a data breach, which should entail containment and notification procedures (7).
However, even when organizations protect data, data breaches can still occur. To address breaches, security experts recommend three steps: initiating the response plan, containing the breach, and notifying stakeholders (7, 8). Although catastrophic, the Somnia incident can serve as an example of what to do (and what not to do) in future data breaches of anesthesia practices. First, in compliance with advice from security experts, Somnia initiated their incident response plan and disconnected from the network immediately following the breach (3). However, the firm failed to contain the breach, store evidence, or notify stakeholders on time, resulting in delayed shutdown, late notice, and the inability to pinpoint the hacker (2). Anesthesia practices can learn from this example and take more thorough action than Somnia did, through educating healthcare providers on data storage and hacking email schemes, creating a more detailed response plan, and notifying patients of the breach as soon as possible. In this age of technology and hacking incidents, health data breaches are a constant threat — however, steps can be taken to prevent and recover from these violating incidents.
References
1: Davis, J. 2022. “10 more anesthesia practices added to healthcare management breach tally.” SC Media. URL: https://www.scmagazine.com/analysis/breach/10-more-anesthesia-practices-added-to-healthcare-management-breach-tally/.
2: Heltzel, B. 2022. “Patients sue Somnia for data breach of 400,000 accounts.” Westchester and Fairfield County Business Journals. URL: https://westfaironline.com/courts/patients-sue-somnia-for-data-breach-of-400000-accounts/.
3: Somnia, Inc. 2022. “Security incident.” Somnia Inc. URL: https://somniaanesthesiaservices.com/somnia-anesthesia/security-incident/.
4: McGee, M. 2022. “Federal tally reaches 5,000 health data breaches since 2009.” Healthcare Info Security. URL: https://www.healthcareinfosecurity.com/federal-tally-reaches-5000-health-data-breaches-since-2009-a-20335.
5: Seh, A., Zarour, M., Alenezi, M., Sarkar, A., Agrawal, A., Kumar, R. and Khan, R. 2020. Healthcare data breaches: insights and implications. Healthcare (Basel) 8(2):133. DOI: 10.3390/healthcare8020133.
6: Landi, H. 2019. “Majority of healthcare breaches come from inside the organizations: report.” Fierce Healthcare. URL: https://www.fiercehealthcare.com/tech/majority-healthcare-breaches-come-from-inside-organizations-report.
7: Scott, J. 2022. “Tips for healthcare organizations to prevent and respond to data breaches.” HealthTech. URL: https://healthtechmagazine.net/article/2022/03/tips-healthcare-organizations-prevent-and-respond-data-breaches.
8: Stone, J. 2022. “How to manage a healthcare data breach.” Security Metrics. URL: https://www.securitymetrics.com/blog/how-manage-healthcare-data-breach.