Health Data Breach Tally: The Latest AdditionsBig Ransomware Attacks Added to 'Wall of Shame'
Several large breaches involving hacking/IT incidents, including ransomware attacks, have been added in recent weeks to the federal tally of major health data breaches.
The largest incident added to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website is a ransomware incident at Bayamón Medical Center and Puerto Rico Women and Children's Hospital (see Ransomware Attack Impacts 522,000 Patients in Puerto Rico).
Also added to the tally was a ransomware attack reported by Lake Charles, Louisiana-based physician network Imperial Health, LLP, which affected over 116,000 individuals.
Commonly called the “wall of shame,” the federal tally website lists major health data breaches impacting 500 or more individuals.
Ransomware Incidents Described
The organizations in Puerto Rico say that on May 21, they discovered that patient information was involved in "a blocking incident" that affected the hospitals' computer network.
Bayamón Medical Center reported the incident as impacting nearly 422,500 individuals and Puerto Rico Women and Children's Hospital reported the breach as affecting nearly 100,000 individuals. That makes the incident the largest ransomware-reported breach added to the tally so far this year.
The hospitals did not indicate whether they paid a ransom or remediated the situation without paying the hackers.
In its notification statement, Imperial Health says that on May 19, it determined that “a malicious virus was used by an unauthorized party to infect the CFO system and encrypt the data contained therein. To the best of our knowledge, no patient information was removed by any unauthorized party from the CFO system as a result of this malware attack.”
The patient data that was encrypted by the ransomware included: name, date of birth, Social Security number, address, telephone number, medical record number and other clinical information, the statement says.
Imperial Health notified local law enforcement officials and the FBI, the statement notes.
Imperial Health did not immediately respond to an Information Security Media Group request for additional details about the incident, including whether the entity paid a ransom to decrypt its data.
Pending Breach Reports
The official tally still does not yet include the full impact of the largest cyberattack in the healthcare sector so far in 2019 - a hacking incident revealed in May by New York-based debt collection firm American Medical Collection Agency.
As of Monday, only one breach report related to the AMCA cyberattack was posted on the federal tally. That was an incident impacting more than 3,000 individuals reported on July 15 by San Carlos, California-based reproductive services provider Natera Inc.
Meanwhile, Albuquerque, New Mexico-based Presbyterian Healthcare Services issued a notification statement Friday about a phishing incident involving employee email discovered in June that affected more than 180,000 individuals. That newly announced breach has yet to show up on the federal tally.
”These email accounts included patient and/or health plan member names and might have contained dates of birth, Social Security numbers and clinical and/or health plan information,” the entity says. “Once Presbyterian became aware of this incident, it secured these email accounts, began a thorough review of the impacted emails and alerted federal law enforcement.”
Some 2,826 breaches affecting 202.1 million individuals have been posted to the breach tally since its inception in September 2009.
As of Monday, the wall of shame shows 271 breaches affecting a total of 11 million individuals have been added so far this year.
Of those, 161 breaches were reported as hacking/IT incidents, impacting 8.7 million individuals – or about 80 percent of those affected by health data breaches added to the tally so far this year.
Of health data breaches posted on the tally so far in 2019, 76 breaches are listed as unauthorized access/disclosures, affecting a total of nearly 2.1 million individuals. But some of those incidents reported as “unauthorized access/disclosure” breaches are known to have involved hacking incidents. That includes a ransomware incident that affected 106,000 individuals at Indiana-based Talley Medical Surgical Eyecare.
The wall of shame shows only 18 loss/theft breaches involving unencrypted computing devices impacting about 149,000 individuals have been added this year. For several years, losses and thefts involving unencrypted devices had been the top culprit in major health data breaches until encryption became far more common and various hacker attacks surged.
The dramatic rise in hacking incidents in recent years is a great cause for concern, says Susan Lucci, senior privacy and security consultant at tw-Security.
”Simply stated, we must find better ways to protect all confidential information and most especially, protected health information. Current processes are not as effective as they should be,” she says.
The federal tally also does not reflect the many ransomware attacks in healthcare that are not unreported to federal regulators because organizations have determined that those incidents as not compromising protected health information.
”If you consider that ransomware is an unauthorized access due to the malware that encrypts the records, then it stands to reason that ransomware is a reportable breach,” Lucci says.
Back in 2016, HHS issued guidance on ransomware that stated most ransomware attacks result in breaches that must be reported under the HIPAA Breach Notification Rule.