2018 Health Data Breach Tally: An AnalysisHacking Incidents Still Dominate, But Fewer Huge Incidents Than in Years Past
Major health data breaches added to the official federal tally in 2018 impacted more than twice as many individuals as the incidents added to the list 2017. But the 2018 victim total was far less than in 2016 and 2015, when the healthcare sector was hit with a string of huge cyberattacks.
A Jan. 3 snapshot of the Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website shows 353 major health data breaches were added to the federal tally in 2018, impacting more than 13 million individuals.
Six of the 10 largest health data breaches posted to the tally in 2018 involved hacking/IT incidents.
The cumulative tally includes 2,533 breaches impacting a total of about 190 million individuals since 2009, when regulators began keeping track as a result of the HITECH Act. Commonly called the "wall of shame," the website lists health data breaches impacting 500 or more individuals.
Of the breaches added to the tally in 2018, about 43 percent were reported as hacking/IT incidents; those incidents affected nearly 9 million individuals.
The largest of those breaches, reported in November by third-party billing vendor AccuDoc, impacted its client, North Carolina-based Atrium Health, which notified 2.65 million individuals of a cyberattack on databases hosted by the vendor (see Attack on Billing Vendor Results in Massive Breach).
That trend of hacking incidents racking up the biggest victim totals emerged nearly four years ago when health insurer Anthem Inc. reported in February 2015 a hack the previous year that exposed the protected health information of nearly 79 million individuals.
In 2015, 269 breaches impacting nearly 113.3 million individuals were added to the tally, more than any other year. Of those, the Anthem breach, as well as cyberattacks reported by several other insurers, including Premera Blue Cross (11 million victims) and Excellus BlueCross BlueShield (10 million individuals impacted) - racked up the most victims.
By comparison, in 2016, 327 breaches affecting 16.6 million individuals were added to the wall of shame, and in 2017 the tally added 359 breaches that impacted 5.1 million individuals.
"Unauthorized access/disclosure" breaches were the second most common type of breach added to the tally in 2018. About 139 such incidents impacting about 3 million individuals were posted.
In the initial years of the tally, breaches involving loss or stolen records - especially those stored on unencrypted laptops and other computing gear - racked up the biggest victim counts.
But in 2018, about 53 breaches involving losses or thefts, impacting only 726,000 individuals, were added to the tally. Of those loss/theft breaches, 35 incidents are listed as involving unencrypted electronic gear, such as laptops; those breaches affected nearly 112,000 individuals. But the largest loss/theft breach posted in 2018 involved the theft of paper/film. That incident, stemming from a break-in and fire impacting the data of about 582,000 individuals, was reported in April by the California Department of Developmental Services.
The federal tally also shows eight improper disposal breaches impacted nearly 340,000 individuals were added to the tally in 2018. The largest of those breaches, affecting 301,000 individuals, was reported by SSM Health St. Mary's Hospital in Jefferson City, Missouri.
Top 10 Health Data Breaches of 2018
|Breached Entity||Individuals Affected||Type of Breach|
|AccuDoc Solutions||2.65 million||Hacking/IT Incident|
|Iowa Health System/UnityPoint Health||1.4 million||Hacking/IT Incident|
|Employees Retirement System of Texas||1.2 million||Unauthorized Access/Disclosure|
|Calif. Dept. of Developmental Services||582,000||Theft|
|MSK Group||566,000||Hacking/IT Incident|
|CNO Financial Group||566,000||Unauthorized Access/Disclosure|
|LifeBridge Health||538,000||Hacking/IT Incident|
|Health Management Concepts||502,000||Hacking/IT Incident|
|AU Medical Center||417,000||Hacking/IT Incident|
|SSM Health St. Mary's Hospital||301,000||Improper Disposal|
Kate Borten, president of privacy and security consulting firm The Marblehead Group, predicts that the top two categories of health data breaches reported in 2018 - hackers and other unauthorized access or disclosures - are likely to continue at the top in 2019.
"The good news is that breaches that are easier to avoid are finally being reduced. It's becoming the norm for all user portables to be encrypted, so that loss and theft of devices and media don't result in breaches," she says. "And more and more organizations and their employees are careful about paper disposal."
Mark Johnson, a former healthcare CISO and shareholder at consulting firm LBMC Information Security, says he's "a little surprised" that there were not more major breaches in 2018 appearing on the wall of shame. "While 343 total, and over 13 million individuals affected, are large numbers, my work with our clients would indicate there are many more attacks ongoing against the healthcare ecosystem," he says.
"This would seem to be telling me that the healthcare industry still is struggles with identifying these attacks. So, I really would have expected more of these rather than less."
Johnson also notes that among the top 10 breaches added to the wall of shame in 2018, several involved business associates. Some 83 incidents added to the tally last year, or nearly 24 percent, involved business associates; they affected a total of 5.8 million individuals.
"This tells me that the hackers have spread their focus from just traditional healthcare entities and are now attacking the entire healthcare ecosystem," Johnson says.
If healthcare continues to get better at identifying these cyberattacks, more data breaches likely will be reported in 2019 and beyond.
"Most would see an increase in reported breaches as a bad thing; I would see it as we are getting better at recognizing the attacks, instead of what feels like under reporting. Hopefully with the 'increase' of breaches, healthcare will start to look at protecting their environments to prevent and protect critical care systems," Johnson says.
"If the healthcare sector continues to treat information security as compliance vs. cybersecurity, then we will see roughly the same number of reported breaches and we will be lulled into a false sense of security, if we haven't already. We will think, 'Well we've plateaued, it's not getting worse,' when in reality, it has gotten much worse."
Healthcare is increasingly directly delivered to patients through internet-connected devices and systems, he notes. "This makes integrity and availability of the care systems far more critical and presents far graver risks than simply exposing the data," he says. "That is why hacking is recognized as the number one risk to patient safety. "