Health Data Breach Tally Update: Ransomware PersistsMore Major Incidents Added to the 'Wall of Shame'
Several major ransomware incidents have been added to the federal tally of major health data breaches in recent weeks.
Among the incidents recently added to the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals, is a June ransomware attack reported on Aug. 8 by St. Joseph’s/Candler, a healthcare system located in Savannah, Georgia, that affected 1.4 million individuals. As of Thursday, that incident is the sixth-largest breach added to the tally so far this year.
In its breach notification statement, St. Joseph's/Candler says that its investigation determined that the incident involved an unauthorized party gaining access to its IT network between the dates of Dec. 18, 2020, and June 17.
Potentially compromised files contained patient names, addresses, dates of birth, Social Security numbers, driver’s license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member IDs, medical record numbers, dates of service, provider names and treatment information, the statement says.
Another ransomware incident added to the tally in recent days was reported to HHS on July 30 by UF Health Central Florida as affecting nearly 701,000.
Also added to the tally in recent weeks was a high-profile ransomware breach reported to HHS on June 1 by Scripps Health, affecting more than 147,000 individuals. Scripps Health in a recent third-quarter earnings report said that the ransomware incident, which affected the organization's IT systems for nearly a month, has so far cost the San Diego-based entity nearly $113 million, including $91.6 million in lost revenue.
The largest 2021 breach involving ransomware posted to the HHS OCR site was reported by Wisconsin-based Forefront Dermatology S.C. on July 8; it affected more than 2.4 million individuals, including patients and employees.
'Wall of Shame' Stats
A snapshot Thursday reveals that so far in 2021, 443 breaches affecting more than 31.1 million individual have been added to the HHS OCR breach tally website.
Of those, 327 incidents - or about 74% - were reported as hacking/IT breaches. They affected a combined total of nearly 29.8 million individuals, or nearly 96% of all those affected by breaches added to the tally this year.
So far this year, business associates have been reported as being involved in 187 incidents, or 42% of breaches added to the tally, affecting a total of nearly 19.7 million individuals.
Of the incidents added to the tally this year, 95 breaches - affecting 1.1 million individuals - were reported as unauthorized access/disclosure incidents.
Only seven breaches affecting a total of about 27,000 individuals were reported as involving the theft or loss of unencrypted computing devices. In years past, thefts and losses of unencrypted computing devices, such as laptops and flash drives, dominated the HHS OCR breach tally.
Since 2009, a total of 4,170 breaches affecting nearly 303.8 million individuals have been added to the ongoing tally.
The trend of hacking incidents - and especially ransomware attacks - resulting in major compromises of electronic protected health information shows no signs of abating.
"Healthcare has seen a two times increase in breaches since 2018, along with a three times increase in breaches attributed to hacking - with an increasing trajectory," says John Delano, a regional CIO of healthcare system AdventHealth and healthcare security strategist at incident response vendor Critical Insight.
"There are no signs of this slowing down - and it has to do with the value of electronic protected health information on the black market. Scammers can monetize this data in a myriad of ways," he says.
"Additionally, healthcare runs on myriad legacy systems, which make it an easy target. With a global pandemic impacting healthcare, the primary focus is rolling out new technologies to support telemedicine activities. Hospitals are completely full and looking for any solutions that will ease the burden of dealing with so many sick patients. Security is taking a back seat and this increases the vulnerability."
The trend of business associates and other supply chain vendors playing a leading role in so many major breaches "seems to indicate that hackers are paying more attention to the ecosystem of vendors and are attacking the vulnerable links in the chain," Delano notes.
Organizations need to prioritize assessing their third-party risks, he contends. "Healthcare organizations need to classify their business associates by risk level according to the type of data they can access and prioritize reviewing those vendors with the highest risk scores," he says.
The largest health data breach posted to the federal tally so far this year involved a business associate. That incident was reported in January by Tallahassee, Florida-based Florida Healthy Kids Corp., an administrator of children’s dental and health insurance programs in Florida. Florida Healthy Kids, which reported the hacking/IT incident as affecting 3.5 million individuals, said that a vendor that hosted the entity's website apparently failed to address vulnerabilities over a seven-year period, resulting in the exposure of personal data, as well as hackers tampering with data.
A number of other large health data breaches that have been disclosed are likely to be posted on the HHS breach tally site in the weeks to come.
Those include a data security incident revealed Tuesday by the Indiana Department of Health that affected 750,000 individuals. That incident involved a third-party firm that "inappropriately accessed" online COVID tracking survey information due to a software configuration issue, the department says in its breach notification statement.