Health Data Breach Tally Spikes in Recent WeeksA Wide Assortment of Hacker, Insider Incidents Reported
The reporting of major health data breaches to federal regulators has spiked in recent weeks. So what's behind the surge?
As of Tuesday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website - commonly called the "wall of shame" - showed 86 major health data breaches affecting more than 1 million individuals had been added to the tally so far this year.
Nearly half of those incidents have been posted to the wall of shame since March 15, the last time Information Security Media Group analyzed the federal breach tally (see Health Data Breaches Added to Tally Vary Widely).
Is there a key reason why the number of breaches reported to federal regulators has surged in the last month?
"I suspect it is just a coincidence of some kind and not a reflection of any larger trend," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
But Jay Trinckes, principal security consultant at consultancy NCC Group, says there are likely other issues behind the recent spike.
"One of these reasons [is] the average time to identify breaches - based on the Ponemon's Institute 2017 cost of data breach study- is 191 days," he notes. " Although there may have been a spike to reporting over the last month, we can't forget that these breaches probably occurred over six months back. This puts the breaches occurring around November/December, just around the holiday season where hackers are working overtime while staff may not be as vigilant for the winter breaks and vacations to spend time with family."
Another factor behind the recent spike could be related to news about privacy issues at other organizations, he says. "For example, Facebook is under a lot of scrutiny over privacy and making individuals aware of issues with their privacy. It could be a good time for organizations to 'come clean' with any breaches that have taken place."
To date, the federal tally shows that hacker/IT incidents represent nearly a quarter of the breaches reported in 2018, but they're responsible for impacting about 613,000 individuals - or more than half of the total victims so far this year.
But hackers are only a part of the picture. An assortment of other incidents have also contributed to the victim count this year.
For instance, lost or stolen unencrypted devices continue to dot the wall of shame.
So far this year, 18 incidents involving lost or stolen unencrypted laptops and other computer equipment, impacting about 68,000 individuals, have been added to the tally this year.
Unauthorized Access, Disclosure
The most frequently reported type of breach reported so far this year is "unauthorized access/disclosure." The 38 such breaches reported impacted about 339,000 individuals.
Breach notifications from some of the organizations reporting those incidents show a wide range of circumstances involved.
For instance, an "unauthorized access/disclosure" breach reported on March 29 by Middletown Medical impacted about 64,000, making it the fifth largest breach added to the federal tally in 2018.
A notification statement from the New York-based practice indicates that on Jan. 29, the entity learned that a security setting on a radiology interface "may have permitted users to see a patient listing and, in a limited number of cases, may have allowed unauthorized users to access limited electronic patient information."
Middletown Medical says that it "modified the interface and terminated any potential unauthorized access to the patient listing and electronic patient information."
One of the most recent "unauthorized access/disclosure" breaches added to the tally was an email incident reported on April 12 by Polk County Health Services in Iowa. It affected about 1,000 individuals - and lasted nearly four years.
A notification from the organization, which is the regional administrator and the governing board for mental health and disability services on behalf of Polk County, Iowa, notes that the breach occurred from June 1, 2014, to Jan. 11, 2018.
"During this period, Polk County Health Services accidentally and unknowingly disseminated personal and protected health information of individuals who have received services at the Crisis Observation Center in Des Moines, Iowa. Polk County Health Services became aware of the potential breach on Feb. 14, 2018."
Data exposed included full name, home address, Social Security number, Medicaid identification number, date of admission to the Crisis Observation Center and discharge location. Polk County Health Services is offering those affected one year of free credit and identity monitoring.
Lessons to Learn
Nahra says other entities must learn from the assortment of breaches being reported in the healthcare sector.
"Companies need to place a high priority on internal monitoring - both to find unusual activity and to keep an eye on employee behavior."
—Kirk Nahra, Wiley Rein
"Companies need to place a high priority on internal monitoring - both to find unusual activity and to keep an eye on employee behavior," Nahra says. "The 'worst' situations are those where someone is misusing a system - a hacker or internal person - for an extended period of time without getting caught."
Although hacker-related breaches so far this year continue to account for a high percentage of health data breach victims, the total victim counts in these recent hacker incidents remain much lower than the huge cyberattacks reported in the healthcare sector in 2015.
To date, the largest health data breach on record in the U.S. remains the hacker attack on Anthem Inc., reported in February 2015, which impacted nearly 79 million individuals.
"Hacker breaches obviously can have big numbers," Nahra says. "Companies need to be policing their systems and thinking about ways to wall off data so that hackers cannot access as much information. I hope that the reduced number of 'mega' breaches is a reflection of better practices, but I suspect it is just a coincidence.
Since 2009 - when HHS began publicly posting its tally of reported breaches impacting 500 or more individuals - 2,267 major health data breaches have affected a total of nearly 177.8 million individuals.