Analysis: Health Data Breach Tally TrendsHacks, Unauthorized Access/Disclosure and Theft Incidents Top the List
The addition to the federal tally in recent weeks of about three dozen major health data breaches, including many hacking and unauthorized access/disclosure incidents, pushed the total number of breach victims so far this year to almost 2.9 million.
A Tuesday snapshot of the Department of Health and Human Services' HIPAA Breach Reporting Tool website - commonly called the "wall of shame," shows a total of 161 breaches added so far in 2018.
"Unauthorized access/disclosure" breaches are the most common type of incident posted on the wall of shame this year. Those 73 incidents - including breaches involving email, electronic medical records and paper/film - impacted a total of nearly 558,000 victims.
The second most commonly reported type of breach so far this year - hacking incidents - has affected far more individuals. As of Tuesday, 54 breaches - or about a third of the incidents posted on the wall of shame in 2018 so far - were reported as hacking incidents, impacting more than 1.6 million individuals - or nearly 60 percent of the total breach victim count.
In addition, 31 breaches reported this year involved thefts or losses; those impacted nearly 660,000 people. Of those incidents, about two dozen involved loss or theft of unencrypted computing devices, such as laptops; those incidents impacted about 60,000 individuals.
But eight breaches involving the loss or theft of "paper/film" records affected nearly 600,000 individuals. Most of those victims were impacted by a break-in reported in April at the California Department of Developmental Services. That DDS office break-in also involved vandalism, a fire and then water damage due to sprinklers, affecting the PHI of 582,000 individuals.
That incident is also the biggest breach posted on the wall of shame so far this year.
The second largest health data breach of the year - a hacking incident involving malware - was reported in mid-May by Maryland-based physician practice LifeBridge Health (see Malware Attacks: Tale of Two Healthcare Incidents).
In a statement, the practice says the malware was discovered in March on a server that hosts electronic medical records of its Potomac Physicians practice and the shared registration and billing system for some other LifeBridge Health providers.
Other large hacker breaches added to the tally in recent weeks includes incidents involving email reported by The Oregon Clinic, affecting over 64,000; Ohio-based Aultman Hospital (43,000); and Holland Eye Surgery and Laser Center in Michigan (42,000).
The largest unauthorized access/disclosure incident added to the federal tally in recent weeks also involved email.
That incident, reported on May 31 by San Francisco-based Dignity Health, involved a sorting error by a business associate, resulting in misaddressed emails affecting 56,000 individuals (see Health System Seeks Patients Help to Mitigate Email Mishap).
Big Picture, Big Breach Trends
As of Tuesday, a total of 2,343 breaches impacting nearly 263.3 million individuals have been posted to the wall of shame since 2009.
The largest of all breaches to date was a hacking incident reported in 2015 by health insurer Anthem Inc., impacting nearly 79 million individuals.
While wall of shame breach trends in recent years show that hacking incidents continue to contribute the largest victim tallies, no single cyberattack impacting the PHI of millions of individuals has been added to the federal tally since 2016.
So what's behind the drop in "mega" hacker attacks impacting health data?
"My impression is that some of the largest breaches from a few years ago were likely state-sponsored attacks, with very different motivation then the more run-of-the-mill hacks that we see for more direct monetary gain," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"We certainly could see similarly sized breaches discovered again in the future, but likely not on a regular basis," he predicts.
Susan Lucci, senior privacy and security consultant at tw-Security, suspects that some entities are also finally getting better at safeguarding their systems and data from massive attacks.
"The lessons from the big 2015 breaches were taken seriously."
—Susan Lucci, tw-Security
"Larger organizations have recognized the importance of investing in better security measures and taking necessary steps to protect health data from intrusion," she notes. "The lessons from the big 2015 breaches were taken seriously. These types of additional security measures are an important investment. You cannot protect what you don't evaluate for risks, and this is why the comprehensive security risk analysis is so critical to all organizations."
Smaller Hacks, But Still Big Impact
Nonetheless, the tally shows a trend that comparatively smaller hacking incidents are still responsible for impacting the largest pool of notified health data breach victims.
"Part of the problem and challenge with hacker incidents is figuring out exactly what happened, so lots of times - given how the HIPAA breach rule works - companies can't definitively pin down what happened, so they have to notify a larger group of people than is probably necessary," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
Due to the high frequency and high breach victim tally of hacker incidents, cybersecurity should be a top priority for organizations, Greene argues. It's also critical, he says, that covered entities and their business associates "remember the importance of safeguards for paper and the continuing relevance of noncyber threats, such as lost or stolen mobile devices."
Fewer incidents involving lost or stolen unencrypted devices are making it to the wall of shame lately compared to years past. But why are these breaches still happening at all - especially when the loss or theft of encrypted devices is not a reportable breach?
"Encryption isn't automatic; there are lots of kinds of devices, and encryption has to be triggered to be relevant, so there are still real gaps that may not be likely to be closed," Nahra says.
A number of factors contribute to the ongoing breach problem involving unencrypted devices, Lucci says.
"One is that perhaps organizations do not know how much - if any - protected health information is on their unencrypted laptops," she says. "Perhaps [the devices] are leaving the facility without specific permission.
"It is absolutely worth the time and investment to become more aware of these issues and simply invest in encryption of these mobile devices."
The HHS Office for Civil Rights has long been emphasizing the importance of encrypting mobile devices. The agency has had a number of HIPAA enforcement actions with multimillion dollar fines following investigations of breaches involving unencrypted devices.
For example, on Monday, HHS announced a $4.3 million civil monetary penalty against the University of Texas MD Anderson Cancer Center for three breaches involving unencrypted mobile devices. MD Anderson in a statement tells Information Security Media Group it plans to appeal the ruling by the HHS administrative law judge who ordered the payment to OCR (see $4.3 Million HIPAA Penalty for 3 Breaches).
Why are there still so many major health data breaches being reported involving paper and film? "We still remain a long way from being a 'paperless society,'" Greene notes.
"Whether due to printing errors, faxing errors or lost shipments, we continue to see significant breaches due to paper records. While the HIPAA Security Rule only requires an enterprise risk analysis to cover electronic PHI, organizations should consider whether to include an assessment of risks to paper records, identifying the flow of paper throughout the organization and identifying where risks are highest."