AMCA Breach Tally Grows; Other Health Data Breaches RevealedHere's a Roundup of Latest Security Incident Reports
Week after week, the list of victims affected by the American Medical Collection Agency data breach continues to grow. The four latest organizations added to the list say a combined total of nearly 190,000 patients they served were affected.
That brings the total number of organizations affected by the breach, which was revealed in June, to about 25. And those organizations report that a total of more than 25 million patients had data exposed.
"When a business associate provides services to many organizations, as did AMCA, the risk to patients across the country can be huge," notes Kate Borten, president of privacy and security consulting firm, The Marblehead Group. "Ideally, the Department of Health and Human Services should identify high volume BAs and consider them for [HIPAA] audits, if and when audits return."
Meanwhile, other healthcare entities - including Presbyterian Healthcare Services and Massachusetts General Hospital - have reported significant data breaches in recent weeks.
New AMCA Breach Victims
The most recent AMCA victims added to the HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals are:
- Wisconsin Diagnostic Laboratories, Milwaukee, Wisconsin, reporting nearly 115,000 patients affected;
- Mount Sinai Hospital in New York, 34,000;
- Integrated Regional Laboratories of Fort Lauderdale, Florida, 30,000;
- West Hills Hospital & Medical Center, West Hills, California, 11,000.
These latest AMCA breach victims added to the HHS website - commonly called the "wall of shame" - are in addition to more than 20 other medical testing laboratories and other healthcare entities that have had breaches added to the federal tally and/or have issued notification statements.
Other Health Data Breaches
Meanwhile, a number of other sizable health data breaches have either been added to the HHS tally or revealed in recent weeks.
Among the largest is a phishing incident that affected nearly 183,400 patients at Albuquerque, New Mexico-based Presbyterian Healthcare Services, which offers health plans and operates nine hospitals.
Presbyterian Healthcare says that on June 6, it discovered "anonymous, unauthorized access was gained through a deceptive email to some of Presbyterian's workforce members sometime around May 9."
The unauthorized access to these email accounts appear to be part of a phishing scam, the organization says.
"These email accounts included patient and/or health plan member names and might have contained dates of birth, Social Security numbers and clinical and/or health plan information. Once Presbyterian became aware of this incident, it secured these email accounts, began a thorough review of the impacted emails and alerted federal law enforcement," the statement says.
Research Data Breach
Also recently reported is an incident at Boston-based Massachusetts General Hospital involving a medical research database, which affected about 10,000 patients.
Massachusetts General, which is part of Partners HealthCare, says that on June 24, the hospital learned that an unauthorized third party had gained access to databases related to two computer applications used by researchers in its department of neurology for neurology research studies.
The hospital says that its investigation has found that between June 10 and June 16, the unauthorized third party had access to research data that included, for example, names, diagnosis and medical history, biomarkers and genetic information, and types of assessments and results.
The medical center says it's taken steps to prevent further unauthorized access and to restore the affected research computer applications and databases. The hospital has also engaged a third-party forensic investigator to conduct a review and has contacted federal law enforcement.
A medical center spokesman declined to comment to Information Security Media Group about the type of intrusion into the hospitals' database and the potential motivation of those who inappropriately accessed the medical research data.
Attorney David Holtzman of the security consultancy CynergisTek says the hospital is missing a chance to better educate the wider U.S. healthcare sector about the privacy and security risks posed to medical research data.
"The information disclosed by Massachusetts General Hospital to the media and general public about a security incident which disclosed protected health information of research subjects probably fulfills the minimum requirements set by HIPAA and various state laws," he says. "However, MGH may be missing an opportunity to provide leadership to the healthcare industry through sharing additional details about the root cause of the incident.
"Greater transparency and information sharing into the type of attack or methodology would be beneficial incident information sharing that other healthcare organizations and researchers could use to defend against a similar type of incident including if the breach was the work of a malicious insider."
In another continuing trend, the surge of ransomware attacks in the healthcare sector show no signs of abating.
Among the latest victims is the Cancer Center of Kansas.
The organization says that on June 12, it discovered that computer systems at one of its facilities, located in Dodge City, had been affected by a ransomware attack.
The investigation determined that an unauthorized third party gained access to the center's systems, which contained documents with patients' names, addresses, phone numbers, dates of birth, attending and referring physicians' names and dates of service, the center says.
Cancer Center of Kansas did not reveal whether it paid a ransom nor the status of its recovery from the incident, which was reported to HHS as affecting 773 individuals.