3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management

Ransomware Incidents Among Largest Breaches on Federal Tally

Analysis of Latest Health Data Breaches on the HHS OCR 'Wall of Shame'
Ransomware Incidents Among Largest Breaches on Federal Tally

Ransomware incidents are becoming a major cause of health data breaches affecting millions of individuals that have been reported so far in 2021, according to the latest additions to the federal tally.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

As of Wednesday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows that the top 10 largest breaches posted to the tally so far in 2021 were all hacking/IT incidents.

Of those incidents, at least five - affecting a total of nearly 8 million individuals - were publicly disclosed as involving ransomware.

That includes one of the largest breaches added to the tally in recent days: an August ransomware incident reported by Indiana-based Eskenazi Health to HHS on Oct. 1 as a HIPAA breach affecting more than 1.5 million individuals.

"No doubt ransomware is on the rise," in healthcare, as well as in other sectors, says Jim Van Dyke, a senior vice president at security firm Sontiq, which analyzes and rates the severity of data breaches based on the type of information compromised.

"When hackers want to get paid for their activity, ransomware is an increasingly attractive option because they literally hold the breached entity’s records for ransom, threatening to both cripple their operations and create a flood of downstream identity theft and fraud to the individuals who had their various identity records exposed."

10 Largest Health Data Breaches in 2021, So Far

Breached Entity Individuals Affected
Florida Healthy Kids Corp. 3.5 million
20/20 Eye Care Network 3.25 million
Forefront Dermatology* 2.4 million
NEC Networks d/b/a CaptureRx 1.6 million
Eskenazi Health* 1.5 million
The Kroger Co. 1.47 million
St. Joseph's/Candler Health System* 1.4 million
University Medical Center Southern Nevada * 1.3 million
American Anesthesiology 1.27 million
Practicefirst Medical Management Solutions* 1.2 million
*Known ransomware incident
Source: U.S. Department of Health and Human Services

Beyond those 10 largest data breaches posted so far this year, the tally also contains numerous other breaches added in recent weeks, and many of them involve hacking incidents, such as ransomware attacks.

For instance, on Oct. 8, a ransomware breach that was reported by Massachusetts-based ReproSource as affecting 350,000 individuals was posted to the tally.

And on Sept. 20, a May hacking incident involving malware reported by the Alaska Department of Health and Social Services as affecting 500,000 individuals was added to the tally.

Latest Tally Trends

As of Wednesday, the HHS Office for Civil Rights breach tally website shows that since 2009, some 4,296 breaches affecting a total of nearly 311 million individuals have been posted on the tally. Commonly called the "wall of shame," the HHS OCR website lists health data breaches affecting 500 or more individuals.

So far in 2021, 567 breaches affecting 38.5 million individuals have been posted on the HHS site.

Of those, 407 breaches were reported as hacking/IT incidents affecting nearly 36.3 million individuals, or about 94% of people affected by breaches posted on the HHS site so far in 2021.

Some 212 incidents affecting about 20.3 million individuals were reported as involving a business associates so far in 2021.

In fact, vendors have also been involved in some of the largest breaches added to the tally in recent weeks.

That includes at least 11 separate breach reports filed on Oct. 1 by Pennsylvania-based Professional Dental Alliance for its dental practice operations in several states involving an affiliated vendor's phishing incident, which affected a total of about 173,000 individuals.

Other Breaches in 2021

Of all 2021 breaches posted so far, 130 breaches affecting more than 1.94 million individuals were reported as unauthorized access/disclosure incidents.

While breaches involving loss or theft of unencrypted computing and storage devices dominated the wall of shame a few years ago, only 13 breaches affecting a total of about 88,000 individuals and involving lost or stolen unencrypted devices were posted so far this year.

Four improper disposal breaches affected nearly 190,000 individuals - more affected individuals than breaches that were reported as unencrypted device loss/theft incidents.

The largest of those incidents involving improper disposal of protected health information was reported in July by Maine-based HealthReach Community Health Centers as affecting more than 122,000 individuals.

Fighting Back

So, what steps can other HIPAA-covered entities and their business associates take to avoid becoming the next ransomware victims with big health data breaches being added to the federal tally?

First, healthcare sector entities need to keep in mind that many of these attacks are evolving from ransomware that encrypts data-at-rest to exfiltration of data (phrase doesn't make sense to me), or both - with attackers holding data for ransom, some experts note.

While many organizations are improving their practices to be better prepared for potential ransomware attacks involving encryption of data, "it doesn’t matter how good your data backup and recovery procedures are. That doesn’t help in a data exfiltration," says Tom Walsh, president of privacy and security consultancy tw-Security.

Walsh suggests that organizations implement multifactor authentication "on as many applications and systems as possible."

At a minimum, MFA should be applied to email, system administrator or "super user" elevated privileges access, and remote access users, he says.

"While MFA is not required by HIPAA, the cyber insurance industry is driving MFA - taking it from a best practice to a reasonable expectation," he adds.

Walsh also says that entities should conduct penetration tests and address the "high findings" as quickly as possible, and they should conduct a cyberattack tabletop exercise. "You need to be ready," he says.

Organizations should instruct users not to save their user credentials when prompted to do so on the screen, Walsh adds.

"Rule of thumb: If it is easier for the users, it’s easier for the hackers too."

Wake-Up Call

Could the spike in these healthcare sector cyberattacks, including ransomware incidents, have a silver lining?

"Ransomware has gotten much more attention from healthcare CEOs and boards in recent years," says Kate Borten, president of privacy and security consulting firm, The Marblehead Group.

"In fact, it many have been the wake-up call many senior leaders needed to recognize security as a priority," she says.

"This type of attack not only can have a financial and reputational impact on the target organization, but it can and has affected patient care, the core mission of providers."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.