Health Data Breaches Added to Tally Vary WidelyMalware, Mailing Errors and More Reported on the 'Wall of Shame'
Large breaches involving hackers continue to plague the healthcare sector this year, but incidents involving lower-tech issues, including mailing errors, also are persisting.
As of March 15, 45 major breaches impacting a total of about 740,000 individuals have been added to the Department of Health and Human Services' HIPAA Breach Reporting Tool website this year. Commonly called the "wall of shame," the website lists breaches impacting 500 or more individuals.
About a third of the breaches added to the tally so far this year are listed as involving hacking/IT incidents; those 15 incidents affected a total of about 555,000 individuals.
Some 19 breaches involving "unauthorized access/disclosure" have been added to the tally; those affected about 152,000 individuals. Ten of those incidents involved paper or film; the rest involved electronic health records, email or "other."
Since September 2009, 2,227 major breaches affecting more than 177.4 million individuals have been listed on the official tally.
Major Hacking Incident
The largest incident added to the wall of shame in recent weeks was reported on Feb. 28 by St. Peter's Ambulatory Surgery Center LLC - d/b/a St. Peter's Surgery & Endoscopy Center - located in upstate New York. That breach was reported as a hacking/IT incident impacting nearly 135,000 individuals.
In a notification statement, St. Peter's says it learned on Jan. 8 that "an unauthorized third party gained access to our servers on that same day." The organization says it immediately took steps to secure the information on those servers and began an investigation.
In a statement provided to Information Security Media Group, St. Peters says: "Our investigation determined an unknown and unauthorized third party deployed malware on our servers. We have no evidence that any patient information was successfully accessed or used in any way. However, we were unable to definitively rule that out."
St. Peter's is offering affected individuals one year of free credit monitoring.
Information exposed in the incident included, for example, demographic data, dates of service, diagnosis and procedure codes, insurance information and, in some instances, Medicare information or Social Security numbers.
The largest incident posted to the federal tally so far in 2018 was a "hacking/IT incident" impacting nearly 280,000 Medicaid patients at the Oklahoma State University Center for Health Sciences. A notification letter sent to affected individuals notes that the incident was discovered In November 2017.
Although hacker attacks are a major threat in the healthcare sector, the federal tally shows that lower-tech incidents - involving paper mailings - are still a nagging problem that's been at the root of at least two of the largest breaches posted to the tally this year.
On Feb. 16, Tufts Health Plan reported to HHS an "unauthorized access/disclosure" incident involving a paper mailing that impacted more than 70,000 individuals.
In a notification statement, Tufts says a mailing vendor used a window envelope to send health plan member identification cards between Dec. 11, 2017, and Jan. 2, 2018; members' ID numbers were visible through the window. Tufts Health Plan says it discovered the full extent of the error on Jan.18.
In another mailing-related snafu listed among the five largest breaches reported so far this year, Triple-S Advantage, an independent licensee of the BlueCross BlueShield Association in Puerto Rico, notified HHS on Feb. 2 of an incident in late 2017 impacting about 36,000 individuals.
In a notification statement, Triple-S Advantage says it discovered in early December that notices sent in November 2017 to healthcare providers involved in the treatment of its members were mailed to the wrong addresses.
Triple S has been previously sanctioned by federal and local regulators for other breaches, including one involving another mailing.
In February 2014, a government agency in Puerto Rico levied a $6.8 million HIPAA sanction against Triple-S subsidiary, Triple S Salud, for a 2013 breach involving a mailing error that affected about 13,000 beneficiaries. Then in December 2015, OCR slapped Triple-S with a $3.5 million settlement (see Puerto Rico Insurer Fined $3.5 Million in HIPAA Settlement).
Healthcare entities, as well as their business associates, can take important steps to avoid becoming victims of the types of breaches added to the wall of shame in recent weeks.
When it comes to preventing hacking incidents, Tom Walsh, president of consulting firm tw-Security, says: "Organizations need to shore up their network defenses to the point where hackers get discouraged because it is taking too long to hack in, thus forcing them to move on to a softer target."
Walsh suggests that defensive strategies include:
- Developing a solid patch management and change control program;
- Conducting vulnerability scanning of external facing and internal servers and systems - and remediating findings;
- Conducting a penetration test at least annually;
- Replacing or updating antiquated firewalls, routers and endpoint security.
"Newer firewalls have additional capabilities for dealing with today's malware," he says. "Traditional anti-virus solutions are usually one step behind the latest malware attack - look for behavior monitoring tools."
"Phishing threats are pervasive; they're a daily challenge that must be addressed."
—Susan Lucci, chief privacy officer, Just Associates
Susan Lucci, chief privacy officer at security and privacy consulting firm Just Associates, stresses the importance of employee education in mitigating malware risks.
"Employees are still clicking on links they think are legitimate. More must be done to help the workforce recognize the warning signals that this not OK," she says. "Phishing threats are pervasive; they're a daily challenge that must be addressed clearly before a true reduction in the number and impact of these attacks. HIPAA training programs and materials should be created and provided to all members of the workforce to provide specific and visual clues to identify the high risk of malware. A program that focuses on this one specific issue could help bring awareness and faster recognition to determine whether or not to 'click.'"
To minimize the risk of breaches involving paper records, organizations need to improve quality control. For example, they should make sure vendors hired to conduct mailings periodically check the envelopes to confirm what is being displayed, Walsh says.
"The vendor doing the mailing may not have educated their workforce regarding PHI and the consequences if PHI is displayed anywhere on or through an opening on the envelope. In fact, the vendor doing the mailing may likely be a subcontractor to the vendor doing the patient billing," he notes.
"Often we find in our evaluations of vendors that the responsibilities for HIPAA compliance are not properly communicated downward to the front line worker," he says. "While the vendor's executives may have signed a business associate agreement ... it is unusual to find any level of awareness regarding HIPAA at the lowest level of a vendor's workforce - the front line workers responsible for the machines that stuff the envelopes."
In cases like the recent Tufts mailing breach, Lucci says covered entities and their business partners "need to take a hard look at whether or not window envelopes ever make sense when PHI is potentially involved."