Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Health Data Breach Tally: Lots of Hacks, Fewer Victims

Bigger Organizations 'Have Invested Wisely' in Breach Prevention. What About Smaller Ones?
Health Data Breach Tally: Lots of Hacks, Fewer Victims

Hacker attacks are still dominating the data breaches added to the official federal tally so far this year. But compared to the mega-breaches of past years, this year's biggest hacks have been relatively small.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

As of Monday, some 199 breaches affecting 3.9 million individuals had been added to the Department of Health and Human Services' HIPAA Breach Reporting Tool website, commonly called the "wall of shame." The website lists health data breaches affecting 500 or more individuals.

By comparison, the 2015 cyberattack on Anthem Inc. affected nearly 79 million individuals. Plus, 2015 attacks against Premera Blue Cross, Excellus BlueCross BlueShield, and UCLA Health affected many millions more.

Why Are Mega-Breaches Now Rare?

Kate Borten, president of The Marblehead Group, a security and privacy consultancy, says some of the largest entities that were hit in those earlier attacks - and others like them - have been learning to bolster their cyber defenses.

"The biggest organizations ... have and are employing major financial and human resources to protect their information assets and reputation," she says.

Adds Susan Lucci, a senior privacy and security consultant at tw-Security: "It is likely the big organizations have invested wisely in breach prevention strategies in a layered security approach. That way, there are multiple safeguards against intrusion."

Smaller organizations that have not taken similar precautions, however, may still be at risk, she warns. "They should do everything they possibly can to heighten awareness internally among staff and invest in security strategies that make sense for the size of the organization. The reason here is that insider mistakes still provide the easiest access for cybercriminals."

Tally Trends

Of the breaches added to the wall of shame so far this year, 74 are listed as hacking/IT incidents. Those incidents affected nearly 2.65 million individuals.

But other types of breaches have also been added to the tally in the last seven months. Those include 84 "unauthorized access/disclosure" breaches impacting a total of more than 562,000 individuals, with some of the largest of these incidents involving email.

Another 37 breaches involved loss or theft; those affected a total of about 672,000 individuals.

Of the loss/theft breaches, 28 involved unencrypted devices. Those incidents impacted a total of about 80,000 individuals.

The largest breach tied to loss or theft so far this year involved paper/film records. That incident - which, with 582,000 affected, is also the largest breach posted added to the tally so far this year - was reported in April by the California Department of Developmental Services.

Most of the victims in that California incident were impacted by a break-in at an office, which also involved vandalism, a fire and then water damage due to sprinklers.

Five Largest Health Data Breaches So Far in 2018

Breached Entity Individuals Affected
California Dept. of Developmental Services 582,000
MSK Group 566,000
LifeBridge Health 538,000
Oklahoma State Univ. Center for Health Sciences 280,000
Med Associates 276,000
Source: U.S. Dept. of Health and Human Services

Recent Hacking Incident

The second largest breach added to the tally this year was a hacking incident reported by Barlett, Tennessee-based orthopedic practice MSK Group. That incident impacted about 566,200 individuals.

In a notification statement posted on its website, MSK Group says that on May 7 it discovered that its computer networks experienced "a security event."

"Fortunately, after extensive investigation, MSK Group does not believe any records containing personal information, were actually removed from its computer network," the statement says.

"There was, however, unauthorized access to certain parts of the network at times over several months, and personal information - such as full name, address, telephone, fax, photograph, email address, date of birth, Social Security number, diagnostic image, driver's license, insurance and medical record information - was stored on the network."

MSK Group is offering affected individuals one-year of free identity theft protection services, including credit monitoring and a $1 million insurance reimbursement policy with no deductible, the statement notes.

What's Missing?

Despite all the headlines about healthcare being a focal point for ransomware attacks, relatively few such attacks have been added to the tally.

A detailed spreadsheet downloadable from the wall of shame mentions the involvement of ransomware in only 28 incidents impacting nearly 198,000 individuals since 2009. No "hacking/IT" incidents posted on the federal tally so far in 2018 are formally described as involving ransomware. But many major breaches reported in the last 24 months are still being investigated by HHS' Office for Civil Rights.

Here's one example: A ransomware incident at Women's Health Group of PA in July 2017 that affected 300,000 individuals is not described on the HHS wall of shame spreadsheet as involving ransomware. It's described only as a hacking/IT incident.

Also, some ransomware attacks earlier this year, including those affecting Allscripts and Hancock Health, do not yet even appear on the federal tally. And it's possible those incidents won't ever be added to the tally.

Although HHS issued guidance stating that in most cases, ransomware attacks are reportable as breaches under HIPAA, it's possible that some organizations may not be following that guidance - or are determining their ransomware incidents did not result in reportable breaches.

What's Next?

So what health data breach trends are on the horizon?

"While I don't see the more mundane and no-tech, low-tech breaches going away, hacker cyber breaches are likely to continue to rise as our electronic connectedness increases," Borten says. "Cybercrime pays, and the criminals aren't risking their lives."

Lucci notes that hackers' tactics are evolving. "New methods of attack are including malware embedded in an attachment like a PDF file. Even though there has been a heightened awareness with employees about not clicking on links included in emails, the new way in may be through a PDF file or other attached document," she notes.

"This deploys malware when an unsuspecting employee opens the document. When we remind employees about phishing, we need to include statements with emphasis on not opening any attachments if the email isn't from a trusted source."

While some types of breaches - like major incidents involving lost or stolen unencrypted laptops - are becoming less common on the wall of shame, Borten says she's dismayed that these and other mishaps still occur.

"By now, the healthcare industry should have greatly reduced breaches due to unencrypted devices, mishandled emails and exposed papers and films containing protected health information," she says. "There are relatively straightforward solutions to these problems. It is very disappointing to see these breaches continue."

While hacker attacks get a lot of attention, incidents involving unauthorized access appear to be rising over the last year on the wall of shame, Lucci notes.

"Hard to say why this is increasing, but the two most common are [records] snooping ... and failing to shut down access to healthcare systems at the right time," she says.

Organizations are discovering snooping "through normal and random audit processes and are cracking down on this type of privacy violation," Lucci notes.

"Strong reminders and additional education should be provided for employees to deter the temptation to 'look and see what happened,'" with patients, she says. But it's not just employees who snoop.

"Remember that business associates may have access to critical systems, and pulling a list of recently terminated contracts should be reviewed against access," she says. "This is a key security process that should be managed on a regular basis."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.