Health Data Breach Tally: More and More Hacker AttacksWhat Can Be Done to Address the Risks?
Hacker incidents continue to dominate major breaches reported to the Department of Health and Human Services. Among the latest incidents added to the HHS tally: an attack at an Atlanta clinic affecting 531,000 individuals.
As of Dec. 5, some 286 breaches affecting more than 15 million individuals have been posted to the HHS Office of Civil Rights' "wall of shame" tally in 2016. Of those, 93 were hacking incidents; they affected a total of more than 12 million individuals.
The Atlanta breach was reported to HHS on Nov. 18 by Peachtree Orthopaedics Clinic. The clinic confirmed the Sept. 22 intrusion in an Oct. 4 statement, and it said it was working closely with forensic experts and the FBI to investigate and address the situation.
"While the investigation is ongoing, there is evidence indicating that information such as patient names, home addresses, email addresses, and dates of birth was potentially taken. In some cases the patient's treatment code, prescription records, or Social Security number may also have been taken."
Top 2016 Hacking Incidents
|Breached Entity||Individuals Affected|
|Banner Health||3.6 million|
|Newkirk Products||3.5 million|
|21st Century Oncology||2.2 million|
|Valley Anesthesiology Consultants||883,000|
|Peachtree Orthopaedic Clinic||531,000|
The incident appears to involve a hacker using the moniker TheDarkOverlord who has in 2016 frequently exfiltrated health data, attempted extortion from the breached health organizations, and posted the stolen information on the dark web, according to the blog Databreaches.net.
Among other healthcare clinics in 2016 that have reportedly been victims of hacker assaults by TheDarkOverlord was Prosthetic & Orthotic Care in Missouri, which in August reported to HHS a hacker incident affecting 23,000 individuals.
A Peachtree Orthopaedics Clinic spokeswoman declined to comment on whether the hacker attack at the organization involved TheDarkOverlord. "We'll leave accountability [for the incident] to law enforcement," she said. Since the incident, Peachtree Orthopaedics has taken forensic measures to review the incident and bolster security procedures and policies, she says, declining to disclose details.
"Criminals find the healthcare sector a very lucrative area to make money," says security and privacy consultant Rebecca Herold, president of SIMBUS LLC and CEO of The Privacy Professor.
"From what we've seen, it is quite easy to get money, in multiple ways, from healthcare entities," she says. "The crooks can sell the healthcare data for much more than the other types of personal data in other sectors. Not only can the data be used for medical identity theft along with the other types of identity fraud, but all that prescription data can be sold to drug dealers and those peddling prescription drugs for lower prices online, creating a profitable revenue path for them."
The Peachtree Orthopaedics breach is the fifth largest hacker incident appearing so far in 2016 on the HHS wall of shame, which lists breaches affecting 500 or more individuals. The largest hacker breach posted this year was an incident reported in August by Banner Health affecting 3.62 million individuals.
Some security and privacy experts expect the hacking trend affecting healthcare sector organizations to persist in the year ahead.
"Unfortunately, I do expect hacker breaches to continue in 2017," says Dan Berger, CEO of security consulting firm Redspin. "There is now an enormous attack surface of protected health information out there - with the vast majority of hospitals and clinics now using electronic health record systems. Add to that the amount of PHI data sharing that occurs between providers as well as with business associates, and hackers have a wide attack space to choose from."
Since federal regulators began tracking major health data breaches in September 2009, some 1,757 incidents impacting a total of 169.7 million individuals have been posted to the wall of shame.
Several major hacker attacks in 2015 were responsible for impacting more than 100 million of those victims. The largest of those breaches was the cyberattack reported in February 2015 by health plan Anthem Inc., which affected 78.8 million individuals.
Among other hacker-related breaches recently added to the federal tally is a ransomware incident affecting almost 30,000 individuals reported on Nov. 30 by Seguin Dermatology, the office of Robert Magnon, M.D., in Texas. In a statement, the clinic says that a September ransomware attack resulted in its server being encrypted. "Seguin Dermatology was able to remove the ransomware from its server. Subsequently, a forensic examination of the affected server ... concluded that there was a high likelihood that protected health information was accessed."
The affected server contained demographic information including patient names, addresses, telephone numbers, and dates of birth; insurance billing information; procedure codes; and some Social Security numbers.
Also added to the tally was a hacking incident reported on Nov. 30 by Louisiana Health Cooperative Inc. in Rehabilitation that affected 8,000 individuals.
Path of Least Resistance
"Hackers will typically tend toward the highest value targets with the least path of resistance," Berger notes. "Ransomware emerged in 2016 precisely for this reason - it doesn't take a lot of effort to launch a ransomware attack, and no matter what ransom the targeted entity pays, the hacker gets a good return on investment of their time and effort."
While healthcare entities have been in the bullseye for ransomware attacks in 2016, many of these incidents have yet to show up on the wall of shame as reported breaches. That includes a ransomware attack earlier this year on Hollywood Presbyterian Medical Center, which admitted paying about $17,000 to unlock data encrypted by hackers.
Steps to Take
Experts say covered entities and business associates can take a number of steps to avoid falling victim to hacker attacks and other breaches that can land them on the federal tally.
That includes conducting a comprehensive, enterprisewide security risk analysis. "Fortunately, we are seeing more and more organizations get serious about conducting HIPAA risk assessments. However, a common mistake is to limit the scope of the [risk analysis] to policies and procedures, and not go deep enough into the technical vulnerabilities that may exist in the overall infrastructure," Berger says.
"We routinely recommend both external and internal penetration testing, wireless assessments and social engineering as an integral part of a [risk analysis] so that the scope more accurately mimics the attack vectors used by real cybercriminals."
Herold recommends organizations strengthen authentication. "Ideally all CEs and BAs should use two-factor authentication, which would prevent these exploits of horribly weak passwords," she says. "Realizing some old, legacy systems may not allow for two-factor authentication, then at the very least organizations should establish a minimum password requirement of a complex password that includes upper and lower case alphas, numerals and special characters. The data leaked from points of compromise shows that the passwords used were about as weak as they could have possibly been."
It's also critical to provide not only effective information security and privacy training to employees, "but also send out frequent reminders of what employees need to do to secure data while performing their daily work activities," she says.