Latest US Health Data Breaches Follow Worrisome TrendsFederal Tally Underscores Biggest Hacking Threats, Risks From Vendors
Some 60 breaches affecting about 2.5 million individuals were added in July to the federal tally of major health data breaches. Those incidents continued a trend playing out in 2022: Large hacking incidents predominately involving ransomware attacks against providers, vendors or both are responsible for an overwhelming amount of data theft.
As of Monday, about 420 breaches affecting 25 million individuals have been posted so far in 2022 to the Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool breach reporting website, which lists health data breaches that affect 500 or more individuals.
HHS OCR says 337 of those breaches affecting about 24.2 million individuals were reported as “hacking/IT incidents.” That means about 80% of the major breaches were related to hacking/IT incidents and accounted for a whopping 97% of all individuals affected by major breaches.
Data shows that vendors played a major role in these breaches. HHS OCR reported that 163 breaches affecting about 11.1 million individuals involved business associates. Third-party vendors are at the center of about 40% of the major HIPAA breaches reported so far this year, with those incidents affecting about 44% of all breached individuals.
Biggest Recent Breaches
In the last month alone, three of the largest health data breaches added to the HHS OCR website were reported as hacking/IT incidents involving ransomware and affecting a total of nearly 950,000 individuals. Two of those breaches were linked to business associates.
The three largest incidents in July were:
- An attack involving Hive ransomware reported by Indiana-based neurology practice Goodman Campbell Brain & Spine affecting nearly 363,000 individuals;
- A breach affecting more than 326,000 individuals reported by Connecticut-based health plan Aetna ACE involving an apparent ransomware incident against a subcontractor that provides mailing services;
- A hacking/IT incident affecting more than 254,000 individuals reported by Florida-based Synergic Healthcare Solutions LLC, which operates urgent care clinics under the name Fast Track Urgent Care Center. The incident involved a 2021 ransomware attack against PracticeMax, a practice management and billing services vendor.
"These trends indicate that this industry continues to struggle with adequate security programs and that hacking pays off," says Kate Borten, president of The Marblehead Group, a privacy and security consultancy. "Hacking healthcare organizations is very cost-effective for the perpetrators. Attacks are relatively inexpensive to launch and can bring big monetary rewards."
Federal authorities, including the FBI, HHS and Department of Homeland Security, in recent months have repeatedly warned of nation-state and related threats to the healthcare sector, with the ransomware group Hive being quite active in such attacks, says regulatory attorney Rachel Rose (see: HHS HC3 Warns Healthcare Sector of Hive Threats).
"The black-market value of healthcare information is higher than that of credit card or other types of sensitive personally identifiable information. There will likely be an increase in these types of attacks," Rose says.
Meanwhile, since the publication of the final HIPAA omnibus rule in 2013, business associates have been required to uphold the same security standards as covered entities, Rose says.
"There is no ambiguity. It is imperative that covered entities, business associates and subcontractors obtain reasonable assurances of compliance with the requisite technical, administrative and physical safeguards," she says.
Regulatory attention on the steady rise of business associate breaches appears to demonstrate that vendors are under closer scrutiny, says Susan Lucci, senior privacy and security consultant at consulting firm tw-Security. This is sending an important message to vendors, she says.
"As a result of this required higher level of standard security measures, business associates are far better prepared to understand and report a data breach than they might have been when the [HIPAA omnibus rule] became effective in 2013," she says.
While some vendors are facing more scrutiny by their covered entity clients, other obstacles are also at play, says Tom Walsh, president of tw-Security.
"Many organizations - covered entities and business associates - rely on contract labor. This is especially true when unemployment is low and there are not enough qualified people to fill vacant positions," Walsh says. "This creates challenges," he says. For instance, by Internal Revenue Service rules, contractors must use their own equipment, such as workstations, laptops, tablets and smartphones, he says.
"When an organization owns and controls equipment, they can use technical controls to enforce written security policies or standards," he says. "But it's not that easy to control the contractor's work environment and equipment. That is why vendor vetting and management are more important than ever."
Covered entities and business associates alike should conduct a comprehensive, annual risk analysis, training program for workforce members, update policies and procedures, encrypt data at rest and in transit, and ensure business associate agreements or data privacy and security agreements are carefully vetted and signed, Rose says.
"Ensuring that patches are up to date is also critical. If organizations have not had a penetration test done, they should at least annually. Larger organizations should consider a few throughout the year."
Other 2022 Trends
The second-most-common breach reported so far this year to federal regulators is unauthorized access/disclosure incidents. So far, 61 such incidents have been posted in 2022, affecting about 338,400 individuals.
While lost and stolen unencrypted computing devices dominated breach reports years ago, only 11 such breaches, affecting about 194,300 individuals, are posted to the HHS OCR website so far this year.
A snapshot Monday of HHS OCR's website shows that 4,861 breaches affecting nearly 351.1 million individuals have been reported since September 2009, when federal regulators began keeping a public tally.