What Are the Reasons Behind Health Data Breach Surge?Ransomware Attacks, Vendor Breaches Continue as Leading Causes
About 70 major health data breaches have been added to the federal tally in the last four weeks as ransomware attacks have persisted and breaches at vendors have affected clients.
As of Monday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website showed 159 breaches affecting a combined total of 12.5 million individuals have been added to the tally so far this year. That's up substantially from the 89 breaches affecting 7.3 million individuals that had been added as of March 15, when Information Security Media Group provided its most recent previous tally snapshot.
The HHS Office for Civil Rights website, commonly called the "wall of shame," displays health data breaches affecting 500 or more individuals that the agency has confirmed.
Since 2009, 3,881 breaches affecting a total of more than 285 million individuals have been posted on the site.
10 Largest Health Data Breaches Added to Tally in 2021
|Breached Entity||Individuals Affected|
|Florida Healthy Kids Corp.||3.5 million|
|The Kroger Co.||1.47 million|
|American Anesthesiology Inc.||1.27 million|
|Health Net Community Solutions||687,000|
|Health Net of California||524,000|
|Bricker & Eckler LLP||421,000|
|Total Health Care Inc.||221,000|
|Woodcreek Provider Services LLC||207,000|
The 10 largest health data breaches added to the tally so far in 2021 were all reported as hacking/IT incidents. Five of those 10 largest breaches were reported to HHS after March 25.
At least four of the 10 largest breaches - those reported by The Kroger Co., Health Net Community Solutions, Health Net of California and Trinity Health - stemmed from the December cyberattack on Accellion's File Transfer Appliance product (see: More Accellion Health Data Breaches Revealed).
Of all the breaches added to the tally, nearly 68% were reported as hacking/IT incidents; those affected a combined total of nearly 12.1 million individuals.
Unauthorized access/disclosure breaches are the second most common type of breach added to the tally so far this year. Some 45 such incidents affected a total of nearly 420,000 individuals.
The largest of those was reported on April 1 by revenue cycle management vendor Med-Data Inc.; it affected nearly 136,000 individuals. The breach involved a former employee uploading files containing patient data to the public-facing, open-source software development hosting website GitHub (see: Vendor Breach Involved PHI Exposure on GitHub).
Of the breaches added to the tally this year, 61 incidents affecting more than 8.2 million individuals were reported as involving business associates.
One of the largest of the BA incidents recently added was a ransomware attack on Ohio-based law firm Bricker & Eckler LLP that affected nearly 421,000 individuals.
"Findings from the investigation indicate that the party obtained some data from certain Bricker systems," the law firm says in a statement. "Bricker was able to retrieve the data involved from the unauthorized party and has taken steps to delete the data. At this time, Bricker has no reason to believe this data was further copied or retained by the unauthorized party."
Business associates continue to experience data breaches at an alarming rate, says Susan Lucci, senior privacy and security consultant at tw-Security.
As of the end of first quarter, 36% of the health data breaches added this year to the federal tally involved business associates, but those incidents represented about 64% of the individuals affected by breaches in the quarter, she says.
Clients of BAs need to regularly monitor their security performance, Lucci says. "Is the information security officer still there? Are they reminding their workforce about hacking and phishing threats often enough? Have they considered new technology to better protect the data? Talk to them and find out," she says. "They are an extension of your workforce, and communication with the 'entire' workforce is key in minimizing risk."
So far this year, only one breach added to the tally involves the theft or loss of an unencrypted computing device, which was a leading cause of breaches back when the tally originated in 2009.
That lost laptop incident, reported by Florida-based WeCare TLC in January, affected about 2,300 individuals.
"We’re generally seeing a long-term decrease in some of the data compromise methods that are the easiest to address," says Jim Van Dyke, senior vice president of digital financial wellness at security vendor Sontiq. "As an example, this is why you are reading about fewer cases of backup storage or mobile devices - including those containing unencrypted data - being accidentally left behind, discarded or left easily available to burglars.
"I expect we will see continued progress in areas like these, which reflect increased controls between enterprise management/IT and the individuals who feel a need to access stakeholders’ personal data."
Most organizations have implemented encryption for mobile devices, so if they're lost or stolen, data they contain will not be breached, Lucci notes.
"The use of USB portable media still needs to watched carefully by organizations, and using technical solutions to enforce the use of encrypted mobile media is very necessary," she says.
What's the Real Risk?
Van Dyke also notes: "We continue to primarily measure the risk of a breach based on how many individuals were affected, rather than how much risk was raised for any one individual who was in the breach" - including the risk of identity theft and fraud.
"If one breach created three times the risk to an affected identity holder, we need to start communicating that," he says. "Breach notices are embarrassingly generic, obfuscating and self-serving, which only stands in the way of letting affected individuals understand what particular actions they now need to prioritize based on the unique nature of the breach."
Following any data breach, healthcare entities should inform affected individuals about the severity of the breach, the specific risks that were raised and the precise actions that affected individuals must now prioritize to reduce their risks, he says.