Unencrypted Device Breaches PersistHealth Data Breach Tally Shows String of Theft Incidents
Although hacker attacks have dominated headlines in recent months, a snapshot of the federal tally of major health data breaches shows that stolen unencrypted devices continue to be a common breach cause, although these incidents usually affect far fewer patients.
As of June 23, the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of health data breaches affecting 500 or more individuals showed 1,251 incidents affecting nearly 134.9 million individuals.
Those totals have grown from 1,213 breaches affecting 133.2 million individuals in an April 29 snapshot prepared by Information Security Media Group (see Breach Tally Shows More Hacker Attacks).
The federal tally lists all major breaches involving protected health information since September 2009, when the HIPAA Breach Notification rule went into effect. As of June 23, about 52 percent of breaches on the tally listed "theft" as the cause.
Among the breaches added to the tally in recent weeks are about a dozen involving stolen unencrypted computers. Lately, those type of incidents have been overshadowed by massive hacking attacks, such as those that hit Anthem Inc. and Premera Blue Cross.
"Although we've seen some large hacking attacks, they are aimed at higher-profile organizations than the more typical provider organization," says privacy and security expert Kate Borten, founder of the consulting firm, The Marblehead Group. "Attackers know that these organizations have a very high volume of valuable data. But I continue to believe that unencrypted PHI on devices and media that are lost or stolen is 'the' most common breach scenario affecting organizations of any size."
Borten predicts that many incidents involving unencrypted devices will continue to be added to the wall of shame. "Getting those devices encrypted is an ongoing challenge when we expand the requirement to tablets and smartphones, particularly when owned by the users, not the organization," she says. "We also shouldn't overlook encryption of media, including tapes, disks and USB storage drives."
Unencrypted Device Breaches
The largest breach involving unencrypted devices that was recently added to the tally was an incident reported to HHS on June 1 by Oregon Health Co-Op., an insurer.
That incident, which impacted 14,000 individuals, involved a laptop stolen on April 3. In a statement, the insurer says the device contained member and dependent names, addresses, health plan and identification numbers, dates of birth and Social Security numbers. "There is no indication this personal information has been accessed or inappropriately used by unauthorized individuals," the statement says.
Also recently added to the federal tally was a breach affecting 12,000 individuals reported on June 10 by Nevada healthcare provider Implants, Dentures & Dental, which is listed on the federal tally as "doing business as Half Dental." The incident is listed as a theft involving electronic medical records, a laptop, a network server and other portable electronic devices.
In addition to the recent incidents involving stolen or lost unencrypted devices, several breaches added to the wall of shame involve loss or stolen paper records or film.
"Breaches of non-electronic film and paper will never end, but at least these breaches are typically limited to one or a small number of affected individuals," Borten says. Because many of the breaches involving paper or film are often due to human error, "effective, repeated training is essential" to help prevention of such incidents, she says.
Hacking Incidents Added
The largest breach added to the tally in recent weeks, however, is the hacker attack on CareFirst BlueCross BlueShield, which was reported on May 20 to HHS and affected 1.1 million individuals. Baltimore-based CareFirst has said that an "unauthorized intrusion" into a database dating back to June 2014 was discovered in April by Mandiant, a cyberforensics unit of security vendor FireEye, discovered the attack on CareFirst in April. Mandiant was asked by CareFirst to conduct a proactive examination of CareFirst's environment, following the hacker attacks on Anthem and Premera.
Another hacker incident added to the tally affected South Bend, Ind.-based Beacon Health System. That incident, reported to HHS on May 20, is listed as affecting about 307,000 individuals. The organization has said patients' protected health information, including patient name, doctor's name, internal patient ID number, and in some cases, Social Security numbers and treatment information, was exposed as a result of phishing attacks on some employees that started in November 2013. The attacks led to hackers accessing "email boxes" that contained patient information.
Addressing Multiple Threats
Healthcare organizations need to continue their efforts to protect data from the threats posed by cyber-attackers, insiders or street thieves, says Borten, the consultant.
"There's no simple answer, but security is complex, and so the solutions, or mitigating controls, must be numerous and varied."