Nick Culbertson on Data Breaches in Healthcare [Podcast]


Post By: Adam Turteltaub

Preventing data breaches is a critical task for all businesses these days, but it’s especially so in healthcare. No one wants to see health information disclosed, and the risks of a ransomware attack are enormous, literally putting lives at stake. And, of course, there are significant consequences under HIPAA.

Nick Culbertson, CEO and co-Founder of Protenus, reports that there were well over 700 breaches in healthcare in 2020. Over 40 million records were affected. It’s a staggering number, and one such breach exposed over 3 million records.

Breaches occurred in 49 of 50 states and Puerto Rico. In sum, nowhere is safe.

What can healthcare organizations — and others, too, for that matter — do to protect themselves? He recommends taking a layered approach. That includes security measures such as strong firewalls but also extensive training of employees, penetration testing and audit log monitoring. In sum, embrace multiple layers of defense that can protect against a wide range of possible mishaps.

In addition, as he explains in this podcast, it is important to take a broad view of the human risk elements. These range from snooping into records to find out if someone does or does not have COVID, to failing to dispose of paper records properly, to bad actors offering furloughed employees cash for their passwords and IDs.

One other area to protect against: breaches through business associates. With increased integration of providers and their suppliers comes dramatically increased risk. The largest incident in 2020 was the result of one such breach.

The bottom line, he reports, is that organizations need to invest more in their cybersecurity, but compliance and privacy teams also need to stay on the alert for simple, human failings.

Listen in to learn more about how to protect your organization.


  1. If what the speaker is sharing is valid…a number of breaches are related to mistakes or errors associated with employees…it certainly begs the question as to why organizations are not putting into place controls, especially technical controls which are not dependent on the user…to help reduce these occurrences.

    Of course…ask someone who has not put these safeguards in place this question…you might be surprised at the number of reasons/excuses/etc that you may hear on why this is the case.

    Can make for an interesting conversation, in my opinion.

    I was encouraged by the speaker who acknowledged that despite the constant statements about “not paying a ransom”…there are times or situations where paying the ransom may be one of if not the only viable alternative/solution.

    Nice to see and hear a real world perspective.

    Thanks to Nick for sharing his insight.

Comments are closed.