Breach Notification , Data Breach

'Wall of Shame' Hits New Milestone for Health Data Breaches

Analysis: What the Latest Breach Statistics Mean
'Wall of Shame' Hits New Milestone for Health Data Breaches

The federal tally that lists major health data breaches has hit a new milestone: More than 2,000 breaches affecting 500 or more individuals have been reported since September 2009. And the tally shows a significant recent shift in the kinds of breaches being reported.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

An Aug. 9 snapshot of the Department of Health and Human Services' HIPAA Breach Reporting Tool website - often called the "wall of shame" - shows a total of 2,018 breaches since 2009.

It took about five years - from September 2009, when HHS began tallying breaches, to about April 2014 - for the wall of shame to reach the 1,000-breach milestone. More than 1,000 additional breaches have been added to the HHS Office for Civil Rights' tally in the three years since then.

The number of individuals affected by health data breaches also has surged in recent years. The number stood at 31.5 million individuals as of May 30, 2014 (see Health Data Breach Tally Tops 1,000 Incidents.) As of Aug. 9, the total affected stood at about 175 million individuals.

Several factors drove the surge in breach statistics over the last three years, notes Kate Borten, president of privacy and security consulting firm, The Marblehead Group.

"Covered entities now are doing a better job of reporting breaches, especially since the HIPAA Omnibus Rule clarified and put more strength into breach determination," she notes. "But it's also true that healthcare has become a high target for hackers as they recognize the value of patient data."

Source: U.S. Department of Health and Human Services

A key driver behind the surge in the number of affected individuals is hacking incidents that have been reported since 2015. Those include the largest health data breach reported to date - the cyberattack reported in February 2015 by health insurer Anthem, which resulted in a breach impacting about 78.8 million individuals.

Tally Remodeled

The breach tally, which in July underwent a makeover, now presents a few different views of the breaches reported to OCR. That includes a display of breaches currently under investigation that were reported within the last 24 months. As of Aug. 9, there were 349 such breaches listed.

The website also features an "archive" button that shows all breaches reported more than 24 months ago, as well as all breaches since 2009 for which OCR investigations have concluded. As of Aug. 9, there were 1,669 such breaches listed.

In addition, the website also includes a recently added "research report" function that combines and totals all breaches reported to OCR, regardless of whether they're still under investigation or when they were reported.

Other Trends

Besides hitting the 2,000-breach milestone, other trends are emerging from the federal tally.

For example, while lost or stolen unencrypted computing devices, including laptops, were previously responsible for the largest portion of breaches, hacking/IT incidents have taken over as the most common type of breach reported in the last 24 months that are still being investigated by OCR.

"Not only are there more hacking incidents, the number of patients impacted by these targeted breaches is alarming," says Susan Lucci, chief privacy officer and senior consultant at Just Associates, a Colorado-based healthcare data security consulting firm.

"The big takeaway here is that phishing is a successful way to get inside healthcare facilities," Lucci says.

"This means that ongoing reminders and providing real examples to employees in educational sessions are the key to preventing insider errors. Another important factor that we learned from the WannaCry ransomware is that with a growing number of the workforce working remotely, or even business associates with access to protected health information, it is imperative to ensure that patches and updates are installed as soon as they are released."

Under Investigation

Of the 349 breaches currently under investigation by OCR that have been reported in the last 24 months, 145 involved hacking/IT incidents; 125 involved unauthorized access/disclosure, which include incidents potentially involving insiders or external actors; and 71 involved lost or stolen unencrypted computing devices.

Since 2009, 348 reported hacking/IT incidents have impacted about 130.7 million individuals, or nearly 75 percent of those impacted by all 2,018 major health data breaches reported to OCR.

But in analyzing the breaches reported to OCR since 2009, poor encryption practices - especially in the initial years after the tally was launched - contributed to the largest number of breaches reported. To date, 690 breaches involving lost or stolen unencrypted devices, affecting a total of about 23 million individuals, have been reported to OCR.

"Although theft still is the highest incident of breaches, hacking affects far more individuals with each hacking incident," Lucci notes. "The cybercriminal activity clearly indicates that PHI presents far more value to the bad guys than just a credit card. The information that can be gleaned from an attack on the healthcare sector can be used for purposes such as opening a new credit card account, theft of IRS refund checks, obtaining healthcare treatment and getting access to prescription drugs. Unlike a credit card that can be cancelled, PHI data, like name, address, date of birth and Social Security numbers, lasts indefinitely."

The second most common type of breach reported since 2009 involves unauthorized access/disclosure, which was cited in 548 breaches impacting a total of 7.5 million individuals.

Making Progress?

Borten says healthcare entities are doing a better job lately with encryption and preventing breaches involving lost or stolen computing devices.

"Organizations are encrypting portable devices and media more routinely these days," she says. "Especially when an organization controls user devices and media, encryption is relatively straightforward. When a device or medium, such as a USB stick, go missing, often the organization claims the object was encrypted and, hence, no breach occurred."

So, how is 2017 shaping up so far?

As of Aug. 9, a total of 197 breaches impacting about 3.4 million individuals have been reported to OCR this year. That includes 79 hacking/IT incidents affecting 2.2 million individuals, or nearly 65 percent of victims impacted by major health data breaches reported so far this year.

Also, so far in 2017, 68 breaches involving unauthorized disclosure/access impacting a total of 311,000 individuals have been reported to OCR.

But only 27 breaches involving lost or stolen unencrypted computing devices have been reported so far this year. Those incidents impacted nearly 154,500 individuals.

Smaller Breaches

Organizations should not forget, however, that the majority of breaches involve smaller numbers of records and that insiders are often the culprits, Borten warns.

"It's also worth noting that many more breaches occur than are reported on the 'wall of shame,' which lists only breaches involving 500 or more individuals. Further, it is likely that breaches continue to occur and go unnoticed."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network