Health Data Breach Tally: Analyzing the Latest TrendsSorting Out What Kinds of Incidents Are Most Common This Year
The federal tally of major health data breaches for 2018 continues to be dominated by hacking incidents and breaches involving unauthorized access/disclosure, while breaches involving lost or stolen protected health information continue to decline.
An Oct. 29 snapshot of the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows 302 breaches have been added to the tally so far in 2018, affecting a total of about 8.8 million individuals.
Since 2009, a total of 2,482 major breaches impacting nearly 186 million individuals have been posted to the federal tally.
Commonly called the "wall of shame," the HHS' Office for Civil Rights' website lists health data breaches impacting 500 or more individuals.
2018 Trend Spotlight
Of breaches posted so far this year, 127 are listed as hacking/IT incidents, affecting nearly 5.7 million. That means those incidents account for 42 percent of the total breaches posted so far this year but are responsible for 64 percent of the individuals impacted.
The largest 2018 hacking/IT incident - as well as the largest breach so far posted on the tally this year - was reported in July by Iowa Health System, which operates under the name UnityPoint. That incident involved a phishing attack and impacted 1.4 million individuals.
Coming in second as the most common type of breach reported in 2018 so far are unauthorized access/disclosure incidents. So far, 121 of those incidents impacted about 2.1 million individuals.
The largest of these incidents - and the second largest of all breaches posted so far in 2018 - was reported on Oct. 15 by the Employee Retirement System of Texas. That incident, which impacted 1.25 million individuals (or more than half of the victims impacted by unauthorized access/disclosure breaches so far in 2018) involved coding mistakes on a web portal, potentially exposing ERS members' PHI to other members.
So far this year, 48 breaches involving lost or stolen patient records have been added to the federal tally, impacting nearly 694,000 individuals. The largest of those incidents, however, impacted more than half of those victims. That was a theft reported by the California Department of Developmental Services, affecting more than 582,000 individuals and involving mostly paper/film records.
The California agency says the incident involved trespassers ransacking files, vandalizing and stealing state property and starting a fire at the agency's Sacramento legal and auditing offices.
Overall, lost/stolen PHI incidents represented about 15 percent of the breaches posted to the OCR site in 2018 so far - continuing the downward trend from a few years ago when such incidents were the top culprit in major health data breaches.
Five Largest Health Data Breaches So Far in 2018
|Breached Entity||Individuals Affected|
|Iowa Health System/UnityPoint Health||1.4 million|
|Employees Retirement System of Texas||1.25 million|
|California Dept. of Developmental Services||582,000|
|Health Management Concepts||502,000|
Among the largest hacking breaches added to the tally in recent weeks was a phishing attack reported on Oct. 5 by Gold Coast Health Plan. That incident impacted more than 37,000 individuals.
In an Oct. 5 statement, the Camarillo, Calif.-based independent public entity that provides health plans to Medi-Cal beneficiaries says it discovered on Aug. 8 that it suffered a phishing email attack that had compromised an employee email account.
"GCHP's investigation indicated that member information was contained as attachments in some of the compromised emails," the statement notes. "The phishing attack permitted the attacker to access the employee's email account between June 18 and August 1, 2018."
Potentially compromised data includes health plan identification numbers, dates of medical service, and in some cases, member names, dates of birth and medical procedure codes.
"GCHP is not aware of any misuse or attempted misuse of the affected health information," the statement says. "According to computer forensics experts and law enforcement, these types of attacks are usually financially motivated. Based on our investigation, we believe the perpetrators of the attack were trying to fraudulently transfer GCHP funds to their account."
Phishing attacks continue to pose significant threats to healthcare entities because the incidents are often the vector to assorted hacking assaults, ranging from ransomware to business email compromise.
"Ransomware will continue to be a threat to the healthcare industry," notes Keith Fricke, principle consultant at tw-Security. "Criminals are intent on compromising user credentials as a way to gain unauthorized access to information, especially to use compromised email credentials for phishing."
Susan Lucci, senior privacy and security consultant at tw-Security, adds: "Organizations would be wise to continue to focus on specific training and reminders about phishing attacks, what they look like and how to engage their workforce in identifying and promptly reporting potential phish and malware threats. It only takes one accidental click to infect an entire network."
Healthcare attacks involving hacking could worsen if medical devices are targeted, she says.
"Cybercriminal attacks aimed at general access or even specific targets on biomedical equipment is a serious concern to the healthcare information security sector," Lucci says.
"Proactive steps such as a comprehensive security risk analysis on all biomed equipment, should already be well underway, and if not, at least scheduled. This should be a high priority for all information security departments in healthcare so that intrusion and/or potential patient safety issues are minimized."
To prevent breaches involving unauthorized access/disclosure breaches, organizations should learn lessons from the recent Employee Retirement System of Texas incident involving a coding mistake that allowed some members to view other member's personal information via ERS' web portal, Lucci says.
One contributor to such incidents "could be some inherent bugs in coding that is hastily being sought to get new products and services made available without perhaps enough critical testing and quality checks performed before deployment," she notes.
"Many coding projects are being outsourced and in many cases offshored where change control policies may not be capturing some potential issues."
As for the decline in breaches resulting from losses and thefts of unencrypted devices, "the numbers certainly indicate that many healthcare organizations have begun to encrypt more devices, yet we continue to hear that the project is not 100 percent complete," Lucci says. "The good news is that this seems to a project that has garnered a lot of attention."
Fricke offer a similar assessment. "It seems that organizations may be doing a better job of encrypting mobile devices, and perhaps educating workers about locking laptops up in car trunks when unattended, to avoid 'smash and grab' theft. As boards of directors pay more attention to cyber risk, the result may be improved consistency of encrypting devices," he says.