Health Data Breach Tally: What's New?Hacks, Thefts and Business Associate Breaches Among the Incidents Added
Some 22 health data breaches reported to regulators in 2019 - including hacking incidents and thefts of unencrypted devices - already have been added to the official federal tally, with business associates involved in six of the largest incidents.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website shows these 22 incidents affected a total of more than 391,000 individuals, with about 60 percent of those victims affected by the six BA-related breaches. Commonly called the "wall of shame," the website lists major health data breaches impacting 500 or more individuals.
The largest of the breaches reported in 2019 that have recently been added to the tally is a phishing incident impacting 111,600 individuals reported on Jan. 3 by a business associate - Texas-based Centerstone Insurance and Financial Services, which does business as BenefitMall. It provides payroll and employee benefits administration services.
"Business associates really need to step up their security defenses to protect PHI and PII to guard against the evolving efforts of cybercriminals to exploit confidential information."
—Susan Lucci, tw-Security
The second largest hacking incident was reported to HHS' Office for Civil Rights on Jan. 18 by Valley Hope Association, a Norton, Kansas-based provider of substance abuse treatments. In its breach notification statement, the organization says the breach, which affected more than 70,000, involved unauthorized access to email messages and file attachments stored in an employee's email account.
"We are taking steps to implement additional safeguards and review policies and procedures to further protect the security of information on our systems," Valley Hope says in a statement about the incident posted on its website. Valley Hope is also providing affected individuals with access to 12 months of prepaid identity monitoring services.
Among the other largest breaches added to the tally in the early weeks of 2019 was a theft of an unencrypted hard drive reported by Texas-based Las Colinas Orthopedic Surgery & Sports Medicine, which operates under the name All-Star Orthopaedics. That incident, reported to OCR on Jan. 18, impacted 76,000.
In a breach notice posted on its website, All-Star Orthopaedic says that on Nov. 20, 2018, it discovered a hard drive containing X-rays and other diagnostic images was stolen. "The information located on the hard drive is not encrypted; however, special software is needed to access the information. If opened, the image files contain patient names and birthdates. No other information is stored on the images on the hard drive."
The only other breach involving the loss of theft of unencrypted devices reported so far in 2019 was a computer theft impacting 7,200 individuals reported on Jan. 18 by Newark, New Jersey-based Integrity House, a provider of substance disorder treatments.
In a statement posted on its website, Integrity House says that on Nov. 25, 2018, it discovered that one of its offices was burglarized. "Stolen in the burglary were a number of business computers and tablets," the organization says.
An investigation by the Integrity House's IT team determined that personal information stored on the devices included patient names, dates of birth, Social Security numbers, health insurance information and limited treatment information. "No financial transaction or payment information was involved in this incident," the entity says. Nevertheless, Integrity House is offering prepaid credit and ID monitoring services to those affected by the incident.
Integrity House says it's reviewing and updating its policies and procedures related to physical security at its facilities, encrypting all hard drives for all computer devices, strengthening password requirements and instituting additional policies around the handling of personal information.
Other breaches reported in 2019 and added to the tally include seven involving "unauthorized access/disclosure" that affected a combined total of nearly 15,000 individuals. Two of those incidents are listed as involving email; the rest were reported as involving paper/film or "other."
2018 Breaches Updated
As of Feb 4, the federal tally shows 366 breaches impacting a total of more than 13.2 million individuals were reported in 2018 (see 2018 Health Data Breach Tally: An Analysis).
Several of those breaches reported in 2018 have only recently been added to the tally. The largest was a hacking incident reported on Dec. 20 by JAND Inc., which does business as Warby Parker, an eyecare services provider. That incident affected nearly 178,000 individuals.
The wall of shame shows a cumulative total of 2,567 breaches affecting about 190.7 million individuals since late 2009, when the tally was launched.
What early trends appear to be emerging on the tally this year?
"What is worth mentioning is that ... the largest two breaches [reported in 2019] involve business associates," notes privacy and security consultant Susan Lucci of tw-Security, referring to the incidents reported by All-Star Orthopaedic and BenefitMall.
HHS data in 2017 and 2018 indicates that business associates were implicated in about 25 percent of major reported health data breaches, she notes. "Business associates really need to step up their security defenses to protect protected health information and personally identifiable information to guard against the evolving efforts of cybercriminals to exploit confidential information," she says.
With HHS considering potential modernization of the HIPAA rules, states considering toughening regulations for breach reporting and the growing costs associated with data breaches, "the privacy bar has been raised and the measures to keep up have as well," she adds.
So what should covered entities and business associates be doing to address these growing concerns?
"Create or review and update your security risk analysis," Lucci advises. "This needs to be done every year without fail. Take a serious review of policies, procedures and workforce training. If these haven't been updated in the last two years, the information has grown stale, it's not keeping up with real security threats, and your workforce, where most security incidents begin, likely aren't engaged in the training."