Health Data Breach Tally: Ransomware ProliferatesHere's An Update on Additions to the 'Wall of Shame'
Ransomware attacks are among the largest incidents added to the federal tally of major health data breaches in recent weeks. Attacks on a variety of clinics affected a total of more than 1 million individuals.
A Tuesday snapshot of the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website shows 371 breaches affecting a total of more than 39 million individuals have been added to the tally so far this year.
Of those, 229 breaches - or about 62 percent - were reported as "hacking/IT incidents." Those incidents affected a total of about 34 million individuals, or the vast majority of victims of the breaches added to the tally this year.
Some 2,926 breaches affecting more than 231 million individuals have been posted on the HHS health data breach website since 2009. Commonly called the "wall of shame," the website lists breaches affecting 500 or more individuals.
Ransomware Attacks Surge
In a statement, the clinic says it discovered in July improper access to certain portions of its networked computer systems "and that a computer virus had encrypted certain files" on its computer systems.
"North Florida OB-GYN promptly shut down its networked computer systems, initiated its incident response and recovery procedures, notified the FBI, and began a privileged and confidential forensic investigation," the statement says, without specifying whether a ransom was paid to unlock data.
Other recent ransomware-related breaches appearing on the HHS website include:
- Alabama-based Sarrell Dental - 391,000 individuals affected;
- Utah-based Premier Family Medical - 320,000 affected;
- Nebraska-based CHI Health Orthopedics Clinic -Lakeside - 48,000 affected.
"Until there's a significant step up in our security protections, these types of ransomware-related attacks are going to continue," says Kate Borten, president of privacy and security consulting firm The Marblehead Group. "They're easy and profitable."
Preventing and defending against most breaches requires a multifaceted approach, she adds. "New security technology offer promise of better outcomes. But until all organizations commit to the basics, new solutions will simply be built on sand."
In the meantime, Keith Fricke, principal consultant at tw-Security, predicts that ransomware attacks impacting healthcare sector entities will continue to surge.
"We've seen the emergence of 'ransomware as a service' in the past few years. This is a service that criminals offer to others that want to get into the "ransomware business" but may not have the resources or technical skills to conduct ransomware campaigns," he notes. "With RaaS, more criminals can engage in ransomware activities in exchange for paying a percentage of the ransom payments collected."
Among other breaches new to the tally is a phishing incident at Methodist Hospitals in Gary, Indiana, that affected 68,000 patients.
In a statement, Methodist Hospitals says that it learned in June of unusual activity in an employee's email account.
"On August 7, 2019, the forensic investigation determined that two Methodist employees fell victim to an email phishing scheme that allowed an unauthorized actor to gain access to their email accounts," the statement says.
"The investigation determined that one account was subject to unauthorized access on June 12 and from July 1 to July 8, 2019 and that the other account was subject to unauthorized access from March 13 to June 12, 2019," Methodist says. "While we have no evidence of actual or attempted misuse of any information present in the email accounts, we could not rule out the possibility of access to data present in the accounts."
Ransomware and phishing attacks added to the HHS tally are evidence of an "an alarming trend," says Susan Lucci, senior privacy and security consultant at tw-Security.
"It becomes evident that this is a successful and profitable avenue for the bad guys," she says. "The way that ransomware attacks continue to develop new, believable messaging is outpacing healthcare's ability, in some instances, to keep the workforce educated and alerted to these evolving threats.
Healthcare organizations should provide all staff members with ransomware prevention updates at least once a month, she suggests. "The best lessons can be learned from real examples, so that people don't fall for a similar phishing attack," she adds.
10 Largest Health Data Breaches Reported So Far in 2019
|Breached Entity||Individuals Affected|
|*Optum360 (on behalf of Quest Diagnostics)||11.5 million|
|*Laboratory Corporation of America||10.3 million|
|Dominion Dental Services||3 million|
|*Clinical Pathology Labs||1.7 million|
|Inmediata Health Group||1.6 million|
|Women's Care Florida||529,000|
|Bayamon Medical Center||422,000|
Business Associate Risks
Business associates have been culprits in some of the largest health data breaches reported so far this year.
That includes a hacking incident disclosed in June by American Medical Collection Agency that impacted nearly two dozen healthcare clients and more than 26 million individuals.
As of Tuesday, four of the 10 largest health data breaches posted on the HHS tally so far in 2019 were tied to the AMCA hacking incident.
In another business associate incident, Scottsdale, Arizona-based managed care company Magellan Health reported a major breach.
In a statement, Magellan Health noted that two subsidiaries - National Imaging Associates and Magellan Healthcare - were victims of phishing attacks that resulted in a potential data breach related to protected health information belonging to members of Presbyterian Health Plan.
Managing BA Risk
Covered entities can take several steps to reduce the risks posed by BAs, Lucci says.
"Assign responsibility for BA management to someone with privacy and security expertise. Review and ensure BA agreements are current is the first step. All too often, contracts are renewed but BA agreements are not," she says.
Also important is creating a current list of all BAs and keeping in communication with key contacts throughout the life of the relationship, she adds.
"BA breaches can be reduced by establishing a program to obtain tangible evidence for all BAs regarding their levels of compliance with federal and state regulations. It is not too late to develop and implement an approach that requires proof," Lucci says.