Analysis: 2016 Health Data Breaches, and What's AheadExperts Offer Predictions for Trends in 2017
For the second year in a row, the vast majority of health data breach victims were affected by hacker attacks in 2016, and the trend shows no signs of abating.
"Hacking is just getting rolling in healthcare, or probably more accurately, just beginning to be recognized more often," says Mac McMillan, CEO of the security consulting firm CynergisTek.
Experts say the healthcare sector should be prepared to deal with more ransomware attacks as well as other types of extortion attempts in 2017, as well as an uptick in distributed denial-of-service assaults and security breaches involving internet of things devices.
'Wall of Shame' Snapshot
As of Jan. 4, the Department of Health and Human Services' "wall of shame" tally of health data breaches impacting 500 or more individuals listed 310 incidents in 2016 affecting 16.1 million individuals. But as the HHS Office for Civil Rights confirms details of other major breaches reported in 2016, the total tally for breaches last year could continue to grow.
Before 2015, most data breach victims were affected by incidents involving the loss or theft of unencrypted computing devices. But then things began to change as cyberattacks began ramping up. A handful of huge hacker attacks on health plans impacted more than 100 million individuals in 2015. The largest of those attacks, which targeted Anthem Inc., affected nearly 79 million individuals.
And in 2016, the trend continued, although far fewer victims were affected: The top five health data breaches all involved hacking. Combined, they impacted nearly 11 million individuals - or about two-thirds of all major health data breach victims last year.
10 Largest Health Data Breaches in 2016
|Entity||Number of Affected Individuals||Type of Breach|
|Banner Health||3.6 million||Hacking incident|
|Newkirk Products||3.5 million||Hacking incident|
|21st Century Oncology||2.2 million||Hacking incident|
|Valley Anesthesiology Consultants||883,000||Hacking incident|
|County of Los Angeles Departments of Health and Mental Health||749,000||Hacking incident|
|Bon Secours Health System||652,000||Unauthorized access/disclosure|
|Peachtree Orthopedic Clinic||531,000||Hacking incident|
|Radiology Regional Center||483,000||Loss|
|California Correctional Health Care Services||400,000||Theft|
|Central Ohio Urology Group||300,000||Hacking incident|
Nearly a third - or 102 - of all breaches listed for 2016 on the federal tally are described as hacking/IT incidents. In addition, 126 are listed as "unauthorized access/disclosure" breaches, but some of those incidents are known to have involved a cyberattack.
For instance, the second largest "unauthorized access/disclosure" incident for 2016 on the tally was a breach reported by Georgia-based Athens Orthopedic Clinic that affected 201,000 individuals. In a July statement, the clinic alerted patients that it "experienced a data breach due to an external cyberattack on our electronic medical records using the credentials of a third-party vendor."
An Athens Orthopedic Clinic spokeswoman confirmed to Information Security Media Group in July that the clinic was one of several healthcare organizations that fell victim to a hacker dubbed "The Dark Overlord" who posted for sale on the dark web patient data stolen during cyberattacks on those entities.
Since federal regulators began keeping track of major health data breaches in September 2009, they've listed 1,785 breaches affecting nearly 171 million individuals on the official tally. Of those, only 258 breaches are listed as hacking/IT incidents, but those affected a whopping 129 million individuals.
Missing from the wall of shame are some high-profile ransomware attacks - especially those occurring in early 2016 - that were not apparently reported as breaches to OCR.
That includes the February 2016 ransomware attack on Hollywood Presbyterian Medical Center, which involved the hospital paying $17,000 to extortionists to unlock encrypted data.
To help alleviate confusion about ransomware-related breach reporting requirements, OCR in July issued guidance advising that most - but not all - ransomware attacks that result in a breach of protected health information must reported to federal regulators under HIPAA.
Healthcare a Prime Target
Several factors are driving attacks on the healthcare sector, says Mark Turnage, CEO of Owl Cybersecurity.
"Many healthcare records contain such a wealth of personally identifiable information that bad actors can leverage," he notes. "They can access current victim accounts or, in many cases, use the information to open up new, fraudulent accounts in the victim's name because of the volume of rather easily accessible information contained in healthcare files. "As a result, these files allow criminals to access healthcare services, financial services and information to use the victim's identity to commit further fraud or crime."
Dan Berger, CEO of security consulting firm Redspin, contends it's an "unfair generalization," however, to label healthcare organizations as "soft targets."
"First, it diminishes some of the great [security] work that has been done at many health organizations over the past few years," he says. "Second, it fails to acknowledge the inherent difficulty in safeguarding patient health information. More than any other dataset, ePHI is meant to be widely shared among authorized users yet kept strictly private."
In addition, large hacking groups backed by nation-states, "through sheer numbers and more resources, can literally overrun most health organizations defenses," Berger says.
Evolution of Attacks
Ransomware attacks will continue in 2017, but could eventually taper off, says McMillan of Cynergistek. "We'll see more, but the future is uncertain as to whether that will continued unabated. Both the industry's investments in advanced solutions and law enforcement are helping to stem the tide."
McMillan predicts cyberattacks could evolve into new or modified types of assaults not frequently seen in the healthcare sector so far. "We need to watch out for more creative extortion attempts using DDoS attacks, as well as theft of data," he warns.
In addition, healthcare organizations need to be on guard for security incidents involving the internet of things, McMillan says. "This will become the next shadow IT nightmare for organizations."