Data Breach , HIPAA/HITECH , Privacy

Wall of Shame: Mid-Year 2016 Breach Trends

Hacker Attacks Rise, But Fewer Victims Impacted
Wall of Shame: Mid-Year 2016 Breach Trends

The federal tally of major health data breaches shows that so far in 2016, there have been more hacker incidents reported than during the first half of 2015. However, so far this year, these hacks appear to be affecting fewer individuals than were impacted by the handful of mega-sized cyberattacks that occurred during the early part of 2015.

See Also: Ransomware: The Look at Future Trends

A July 7 snapshot of the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website listing breaches affecting 500 or more individuals, shows that to-date, there have been 43 reported hacking/IT incidents affecting a total of about 2.7 million individuals in 2016.

By comparison, during the same months of 2015, there were 37 reported hacking incidents listed on the wall of shame, but that smaller number of breaches affected a much bigger total: 93.2 million individuals, or nearly 35 times more individuals that have been impacted by hacker health data breaches so far this year.

Why such a big difference? During the first half of 2015, the healthcare sector was hit by attacks on several large health plans, including the two biggest health data hacker breaches ever to-date: Anthem Inc., which affected 78.8 million individuals, and Premera Blue Cross, which impacted 11 million individuals.

Changing Trends?

The shift in hacking incidents reveals a new trend, say some security and privacy experts.

"What is both interesting and worrisome is that the nature of these attacks has changed," says Dan Berger, CEO of security consulting firm Redspin. "Rather than the state-sponsored, large-scale attacks on insurers we saw in 2015, it appears that primary care facilities and specialty clinics - podiatry, radiology, oncology, pain management - are being targeted this year. This tells me that more local actors and identity thieves are apt to be involved - and that black market demand for personal health information remains strong."

There are also other factors contributing to an uptick in the number of hacker incidents, says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.

"Numerous industry sources are seeing clear trends on reports of an increase of successful malware attacks that infiltrate network information systems on which there are stored large numbers of patient records," he says. "Are the current trends the result of a greater number of successful attacks, or are the increased reports due to heightened vigilance in recognizing security incidents?"

So far in 2016, the largest health data hacker breach reported was in March by 21st Century Oncology. That incident - which is also the largest of all type HIPAA breaches listed on the wall of shame so far in 2016 - affected 2.2 million individuals.

5 Largest Health Data Hacker Breaches in 2016 So Far:

Entity # Individuals Affected:
21st Century Oncology 2.2 million
Southeast Eye Institute, P.A. dba eye Associates of Pinellas * 87,314
Medical Colleagues of Texas 68,631
Alliance Health Networks, LLC 42,372
Stamford Podiatry Group .P.C * 40,491
*Breach resulting from cyberattack on business associate Bizmatics.
Source: Department of Health and Human Services

More to Come?

But it's very possible that by the time 2016 ends, there will be many additional large hacker-related incidents added to the wall of shame.

For instance, missing from the wall of shame - at least so far - are several high-profile ransomware related incidents that occurred in the early months of 2016, which may or may not have been reported to HHS due in part to some industry confusion about whether ransomware attacks qualify as reportable protected health information breaches under HIPAA (see Congressmen: Ransomware Requires New Guidance).

Among incidents that aren't listed on the wall of shame so far are the ransomware attack on Hollywood Presbyterian Medical Center, which said in February that it paid about $17,000 to extortionists to unlock data that had been encrypted by the attackers.

Among top hacker incidents that are listed on the wall of shame are several breaches reported by at least 17 covered entities impacted by a cyberattack on their common cloud-based electronic health records vendor, Bizmatics Inc.

So far, there are nearly 264,000 total individuals impacted by the breaches reported involving Bizmatics. However, because Bizmatics says on its website that its PrognoCIS EHR is used by 15,000 medical professionals, some experts expect more covered entities potentially will report breaches related to Bizmatics, a business associate under HIPAA.

"Without question, vendor risk management is one of the most challenging tasks facing covered entities," Berger says. "Information sharing is the cornerstone of many of the patient-centered care initiatives - and technology is the enabler. At the same time, every link in the chain is potentially vulnerable."

And while the wall of shame offers a snapshot peek into larger breaches involving protected health information, it doesn't provide the full picture of all trends involving health data, says Rebecca Herold, CEO of The Privacy Professor and co-founder of SIMBUS360 Security and Privacy Services.

"Taking into consideration the larger universe of breaches beyond the healthcare space, and also the many additional locations where PHI is now located - personally owned devices, Internet of Things devices, third-parties and beyond," she says, "I believe there is more hacking activity than ever before, along with more unauthorized access and lost and stolen devices than ever before when considering we have more data than ever before, more computing and digital storage devices than ever before, and more motivation to nefariously use personal data that is increasing in value to criminals."

Other Breaches

As of July 7, there were 1,600 breaches affecting a total of about 159 million individuals posted on the wall of shame, going back to when federal regulators began keeping the tally in September 2009. That includes 141 breaches affecting a total of about 4.48 million individuals that have been added to the wall of shame so far in 2016.

5 Largest Health Data Breaches in 2016 So Far:

Entity Type of Breach # Individuals Affected:
21st Century Oncology Hacking/IT Incident 2.2 million
Radiology Regional Center Lost Paper/Film 483,063
California Correctional Health Care Services Laptop Theft 400,000
Premier Healthcare Laptop Theft 205,748
Community Mercy Health Partners Improper Disposal Paper/Film 113,528
Source: Department of Health and Human Services

Besides hacker incidents, other large breaches added to the wall of shame so far in 2016 include an assortment of incidents involving longtime, common culprits such as lost or stolen unencrypted laptops, as well as lost, stolen or improperly disposed paper and film patient records.

Those incidents include stolen unencrypted laptop breaches reported by the California Correctional Health Care Services, which provides health services to California prison inmates, and Premier Healthcare, a multi-specialty group practice in Bloomington, Ind. Respectively, the breaches impacted 400,000 and 206,000 individuals.

Also among the largest breaches of 2016 is an incident involving Florida-based Radiology Regional Center, which occurred on Dec. 15, 2015, but was reported to HHS on Feb. 12.

That Radiology Regional incident - which involved a mishap by a business associate hauling away paper and x-ray records of 483,000 patients in a disposal truck for incineration - is also is the largest breach to-date involving lost, stolen or improperly disposed paper or film records listed on the wall of shame.

Business Associate Breaches

Of all breaches listed on the wall of shame to date, nearly 20 percent are reported as involving a business associate.

However, some experts predict more breaches involving business associates will show up on the wall in 2016 and beyond, especially since HIPAA omnibus made business associates directly responsible for HIPAA compliance in 2013.

"As awareness of information security and privacy threats and vulnerabilities increases, so do the awareness of risks within all types of organizations," notes Herold. "Historically I've seen business associates that have experienced breaches that they didn't even realize were breaches, and so those went unreported - despite recommendations for them to report them," she says.

"I'm seeing more covered entities outsource a wider variety of activities involving PHI than ever before," she says. "Considering all this, I believe business associates, including their subcontractors, are a bigger threat to covered entities than ever before."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network