Despite being subjected to high regulatory expectations and intense scrutiny over information security practices, the healthcare industry has again succumbed to a significant data breach. Even before the recent cyberattack on UnitedHealth Group’s subsidiary Change Healthcare—recognized by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for being of unprecedented magnitude (https://tinyurl.com/5hd-3c9d3)—a review of the breach portal reflecting legally mandated notifications to the Secretary of HHS for breaches of unsecured protected health information (https://tinyurl.com/yudx89av), depicted an industry challenged to manage cyber risk effectively. According to the FBI’s 2023 Internet Crime Report (https://tinyurl.com/bdfyhawf), Healthcare and Public Health represented the infrastructure sector most affected by ransomware (p. 13). The HIPAA Journal reported: “There was no letup in cyberattacks on healthcare organizations in 2023, which set two new records—the most reported data breaches and the most breached records” (https://tinyurl.com/3mdp842r). With mandated security rules and ample accompanying guidance, questions remain…
