Ransomware, Other Big Incidents Added to Breach TallyLatest Analysis of the HHS OCR 'Wall of Shame' Health Data Breaches
As the final weeks of 2021 wrap up, the federal health data breach tally continues to show hacking incidents by far dominating as the top category of breaches being reported. That includes the addition of several major ransomware incidents reported by an assortment of healthcare entities and vendors in recent weeks.
As of Thursday, 647 breaches affecting more than 42.4 million individuals were posted in 2021 on the Department of Health and Human Services' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the HHS Office for Civil Rights website lists health data breaches affecting 500 or more individuals.
Of those added so far in 2021, 472 breaches affecting more than 40.1 million individuals were reported as hacking/IT incidents. That’s 73% of total breaches posted to the tally in 2021 - but those incidents were responsible for 94% of individuals affected so far this year.
For instance, Seattle, Washington-based Sound Generations, a nonprofit organization that operates senior centers and provides social services to disabled individuals, on Nov. 29 reported to HHS a hacking/IT incident affecting nearly 104,000 individuals.
The business associate's breach notification statement indicates that its breach apparently involved two incidents in which an unauthorized party gained access to the organization's computer systems and encrypted information stored on July 18 and Sept. 18.
Potentially compromised information of Sound Generation's clients and other affected individuals includes demographic and health information, such as name, address, phone number, email and date of birth, the breach notice says. For some individuals, such as those who participate in the entity's fitness program, affected data may also include health insurance number, health history and health conditions, Sounds Generations says.
Washington, D.C.-based Howard University College of Dentistry on Nov. 23 also reported a hacking/IT incident involving a ransomware attack, which affected nearly 81,000 individuals.
In its breach notification statement, Howard University says the incident was detected on Sept. 23, and there is no evidence that the attacker viewed or accessed any patient’s dental records.
But "such records were made inaccessible via an encryption and information about certain dental visits dating between Oct. 5, 2019 and Sept. 3, 2021 may [no longer] be available."
Information in the affected system may have included names, dates of birth, contact information, dental record numbers, health insurance numbers, dental history information and a limited number of Social Security numbers, the university says.
West Conshohocken, Pennsylvania-based Medsurant Holdings LLC, an independent provider of intraoperative neuromonitoring services to hospitals and surgeons that operates under the name Medsurant Health, also reported to HHS a hacking/IT incident involving ransomware and affecting 45,000 individuals.
The entity's breach notification statement indicates that on Sept. 30, Medsurant received a suspicious email from an unknown actor who alleged that they had removed data from the Medsurant environment. An investigation into the incident confirmed that Medsurant’s systems were accessible to the unknown actor between Sept. 23 and Nov. 12, and that some data had been exfiltrated from its systems, Medsurant says. "Some limited data was also encrypted during this period, but later restored," the statement says.
The types of patient information potentially accessed and acquired in the incident includes full name, address diagnosis/conditions, date of birth, claims information, and Social Security number, the statement says. "We have no evidence of any fraudulent misuse of the information," Medsurant adds.
Business associates were reported to HHS as being "present" in 234 breaches affecting nearly 21 million individuals in 2021. That’s more than a one-third of total breaches posted to the tally so far this year - but those incidents are responsible for nearly half of the people affected by all breaches so far in 2021.
The largest of those breaches - affecting 3.5 million individuals - was reported in January by Florida Healthy Kids Corp., an administrator of children’s dental and health insurance programs in Florida.
That incident involved a website-hosting vendor that apparently failed to address vulnerabilities over a seven-year period, resulting in the exposure of personal data as well as hackers tampering with data.
"Covered entities and business associates should recognize that these attacks will continue as long as they are lucrative" to cybercriminals, says Kate Borten, president of privacy and security consultancy The Marblehead Group.
While hacking/IT incidents dominate breaches posted in 2021 to the HHS tally, the second-most-common breach this year was unauthorized access/disclosure incidents. Some 141 such incidents affecting 1.96 million individuals are posted.
"Accidental disclosure of data is often overlooked," says Tom Walsh, founder of privacy and security consultancy tw-Security. "The increased use of cloud storage and collaboration tools is exposing more data than ever before. Many organizations don’t require their employees to go through any type of comprehensive training for cloud-based collaboration tools."
Walsh says the tools allow employees to share and exchange data and leaves it up to each user to set the appropriate permissions to files and folders." This is an incident waiting to happen," he says.
Only 15 breaches appearing on the tally for 2021 so far were reported as lost/stolen unencrypted devices, affecting about 97,000 individuals. Those types of breaches were the most common type reported to HHS in past years.
To date, since 2009, the HHS site shows a total of 4,374 breaches affecting nearly 316 million individuals.
Next year, hacking incidents will continue to dominate, if not grow, Borten predicts. "Unfortunately, as long as there's a big payoff and only moderate risk to the attackers, they'll keep coming."
Ransomware tends to get the most attention from boards, she says, but it's also important for covered entities and business associates to keep their eyes on the full range of security threats and vulnerabilities.
Borten says that working remotely is likely to continue when the pandemic subsides and while it brings many benefits, it also carries heightened risks to the security and privacy of networks and information assets. "Organizations need to be vigilant in setting policies, implementing controls, and monitoring adherence by those remote workers," she says.
Walsh says healthcare sector entities often assume a breach won't happen to them and therefore are shocked when one occurs. He says organizations need to assess or test their overall readiness to prevent, detect and respond to these events.
"A well-run tabletop exercise can reveal the pitfalls of an organization’s security posture. It is far better to catch the pitfalls during an exercise rather than dealing with them after an attack."
Borten says that all organizations must have strong defensive controls in place, including multifactor authentication where feasible, and must carefully monitor the environment for threats and attacks.
"Proactive risk assessment should be part of IT and security teams' daily mindset, and the full workforce must have frequent security reminders, including on phishing," she says. "Using real life examples of phishing attacks, which are becoming more sophisticated over time, should sensitize users to the threat, both at work at in their personal lives."