Breach Notification , Breach Preparedness , Breach Response

Analysis: 2016 Health Data Breaches, and What's Ahead

Experts Offer Predictions for Trends in 2017
Analysis: 2016 Health Data Breaches, and What's Ahead

For the second year in a row, the vast majority of health data breach victims were affected by hacker attacks in 2016, and the trend shows no signs of abating.

See Also: Fortifying Your Organization's Last Layer of Security

"Hacking is just getting rolling in healthcare, or probably more accurately, just beginning to be recognized more often," says Mac McMillan, CEO of the security consulting firm CynergisTek.

Experts say the healthcare sector should be prepared to deal with more ransomware attacks as well as other types of extortion attempts in 2017, as well as an uptick in distributed denial-of-service assaults and security breaches involving internet of things devices.

'Wall of Shame' Snapshot

As of Jan. 4, the Department of Health and Human Services' "wall of shame" tally of health data breaches impacting 500 or more individuals listed 310 incidents in 2016 affecting 16.1 million individuals. But as the HHS Office for Civil Rights confirms details of other major breaches reported in 2016, the total tally for breaches last year could continue to grow.

Before 2015, most data breach victims were affected by incidents involving the loss or theft of unencrypted computing devices. But then things began to change as cyberattacks began ramping up. A handful of huge hacker attacks on health plans impacted more than 100 million individuals in 2015. The largest of those attacks, which targeted Anthem Inc., affected nearly 79 million individuals.

And in 2016, the trend continued, although far fewer victims were affected: The top five health data breaches all involved hacking. Combined, they impacted nearly 11 million individuals - or about two-thirds of all major health data breach victims last year.

10 Largest Health Data Breaches in 2016

Entity Number of Affected Individuals Type of Breach
Banner Health 3.6 million Hacking incident
Newkirk Products 3.5 million Hacking incident
21st Century Oncology 2.2 million Hacking incident
Valley Anesthesiology Consultants 883,000 Hacking incident
County of Los Angeles Departments of Health and Mental Health 749,000 Hacking incident
Bon Secours Health System 652,000 Unauthorized access/disclosure
Peachtree Orthopedic Clinic 531,000 Hacking incident
Radiology Regional Center 483,000 Loss
California Correctional Health Care Services 400,000 Theft
Central Ohio Urology Group 300,000 Hacking incident
Source: U.S. Department of Health and Human Services

Nearly a third - or 102 - of all breaches listed for 2016 on the federal tally are described as hacking/IT incidents. In addition, 126 are listed as "unauthorized access/disclosure" breaches, but some of those incidents are known to have involved a cyberattack.

For instance, the second largest "unauthorized access/disclosure" incident for 2016 on the tally was a breach reported by Georgia-based Athens Orthopedic Clinic that affected 201,000 individuals. In a July statement, the clinic alerted patients that it "experienced a data breach due to an external cyberattack on our electronic medical records using the credentials of a third-party vendor."

An Athens Orthopedic Clinic spokeswoman confirmed to Information Security Media Group in July that the clinic was one of several healthcare organizations that fell victim to a hacker dubbed "The Dark Overlord" who posted for sale on the dark web patient data stolen during cyberattacks on those entities.

Since federal regulators began keeping track of major health data breaches in September 2009, they've listed 1,785 breaches affecting nearly 171 million individuals on the official tally. Of those, only 258 breaches are listed as hacking/IT incidents, but those affected a whopping 129 million individuals.

Ransomware Attacks

Missing from the wall of shame are some high-profile ransomware attacks - especially those occurring in early 2016 - that were not apparently reported as breaches to OCR.

That includes the February 2016 ransomware attack on Hollywood Presbyterian Medical Center, which involved the hospital paying $17,000 to extortionists to unlock encrypted data.

To help alleviate confusion about ransomware-related breach reporting requirements, OCR in July issued guidance advising that most - but not all - ransomware attacks that result in a breach of protected health information must reported to federal regulators under HIPAA.

Healthcare a Prime Target

Several factors are driving attacks on the healthcare sector, says Mark Turnage, CEO of Owl Cybersecurity.

"Many healthcare records contain such a wealth of personally identifiable information that bad actors can leverage," he notes. "They can access current victim accounts or, in many cases, use the information to open up new, fraudulent accounts in the victim's name because of the volume of rather easily accessible information contained in healthcare files. "As a result, these files allow criminals to access healthcare services, financial services and information to use the victim's identity to commit further fraud or crime."

Dan Berger, CEO of security consulting firm Redspin, contends it's an "unfair generalization," however, to label healthcare organizations as "soft targets."

"First, it diminishes some of the great [security] work that has been done at many health organizations over the past few years," he says. "Second, it fails to acknowledge the inherent difficulty in safeguarding patient health information. More than any other dataset, ePHI is meant to be widely shared among authorized users yet kept strictly private."

In addition, large hacking groups backed by nation-states, "through sheer numbers and more resources, can literally overrun most health organizations defenses," Berger says.

Evolution of Attacks

Ransomware attacks will continue in 2017, but could eventually taper off, says McMillan of Cynergistek. "We'll see more, but the future is uncertain as to whether that will continued unabated. Both the industry's investments in advanced solutions and law enforcement are helping to stem the tide."

McMillan predicts cyberattacks could evolve into new or modified types of assaults not frequently seen in the healthcare sector so far. "We need to watch out for more creative extortion attempts using DDoS attacks, as well as theft of data," he warns.

In addition, healthcare organizations need to be on guard for security incidents involving the internet of things, McMillan says. "This will become the next shadow IT nightmare for organizations."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.