Health Data Breach Trends: The Latest Ups and DownsMichael Hamilton, CISO of Critical Insight, Analyzes 2021 Breach Reports
There's good news and bad news about health data breach trends, Michael Hamilton, CISO at security firm Critical Insight, says. The bad news: The number of major breaches reported to regulators in 2021 hit a record high. The good news: The rate of breaches reported last year compared to 2020 appears to be slowing down.
Since 2018, the number of major HIPAA breaches reported to the U.S. Department of Health and Human Services has climbed 84%, and the number of individuals affected by these incidents has grown by 300%, Hamilton says.
This is based on Critical Insight's analysis of breaches posted on the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
In 2018, 369 major health data breaches affected 14.4 million individuals, and in 2021, a record high of 679 breaches affected nearly 45 million individuals.
But the rate at which the number of breaches grew last year declined, he says. Compared with 2020, the number of breaches was up only about 2.4%, Hamilton says.
Unfortunately, the total number of individuals affected by breaches in 2021 increased 32% over 2020, revealing that more records are exposed per breach each year, he says.
It is unclear whether these trends mean the number of entities experiencing major health data breaches is beginning to level out or if there are other reasons behind the numbers, Hamilton says in an interview with Information Security Media Group.
"We're diving in and trying to figure out if that's a real signal [of security improvement], or if it's delayed reporting … or if there are organizations that have been breached and don't know it yet."
Also, "actors could have gained persistence on [the IT systems of entities] but haven't pulled the trigger yet."
The composition of healthcare sector entities reporting major breaches is also shifting, Hamilton says. "Attacks on healthcare providers are actually down, but [incidents involving] business associates are up 18% and health plans are up about 35%," he says. And among healthcare provider organizations, outpatient clinics "are also ticking up."
In the interview (see audio link below photo), Hamilton also discusses:
- Other findings about 2021 health data breach trends;
- How these trends could play out in 2022;
- Security soft spots at covered entities and their business associates that could be contributing to current breach trends.
Hamilton, CISO at security firm Critical Insight, has more than 30 years of experience in information security. He's the former CISO for the city of Seattle and former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council. Hamilton also recently served as a policy adviser for the state of Washington Office of the CIO.