Analysis: Top Health Data Breaches So Far in 2017Federal Tally Shows Continued Uptick in Hacking Incidents
With the exception of one large theft incident involving an insider, hacker attacks - including some involving ransomware - remain the leading culprits in the biggest health data breaches reported so far this year to federal regulators.
See Also: HIPAA Audits: A Revised Game Plan
As of July 3, 149 breaches affecting a total of nearly 2.7 million individuals have been reported to federal regulators so far in 2017, according to the Department of Health and Human Services' so-called "wall of shame" website of breaches affecting 500 or more individuals.
Of those 2017 breaches, 53 are listed as hacking/IT incidents. And although they only represent about one-third of the breaches reported in 2017, those incidents are responsible for affecting 1.6 million individuals, or about 60 percent of the victims impacted.
For example, four of the five largest breaches reported so far in 2017 involved hacking/IT incidents. Of those, at least two have been disclosed by healthcare entities in their public breach notification statements as involving ransomware.
Those incidents include a ransomware attack reported to HHS on June 16 by Airway Oxygen, a Michigan-based provider of oxygen therapy and home medical equipment. That incident is listed on the federal tally as affecting 500,000 individuals, making it the second largest health data breach posted so far this year.
5 Largest Health Data Breaches in 2017, So Far
|Entity||# Individuals Affected||Breach Type|
The other known ransomware incidents listed among the top five breaches so far in 2017 was reported in March by Texas-based specialty practice, Urology Austin. That incident is listed as affecting nearly 280,000 individuals.
And while neither the Airway Oxygen nor Urology Austin incidents are listed on the wall of shame with details yet attributing the breaches to ransomware, each entity issued breach notification statements to affected individuals naming ransomware as the culprit.
However, despite the continuing surge in hacking related incidents, the largest health data breach added so far this year to the federal tally was an insider incident that was reported in March by Bowling Green, Kentucky-based Med Center Health, owned by Commonwealth Health Corp.
That incident, affecting 698,000 individuals, involved a former Med Center Health employee who allegedly obtained patient information on an encrypted CD and encrypted USB drive, "without any work-related reason to do so," the company said in a statement.
Breaches Since 2009
Since the HIPAA breach notification rule took effect in September 2009, 1,971 breaches impacting nearly 174.3 million individuals have been posted on the federal tally as of July 3. Of those, 322 - or only about 16 percent - are listed as hacking/IT incidents. However, those incidents affected about 130.2 million individuals, or nearly 75 percent of all victims impacted by reported health data breaches.
Several massive cyberattacks on health insurers in 2015 are responsible for the majority of those victims impacted - the largest being the attack on Anthem Inc., which affected about 78.9 million individuals.
That breach is at the center of a recently proposed record-breaking $115 million settlement awaiting federal court approval in a consolidated class action lawsuit against Anthem (see $115 Million Settlement in Massive Anthem Breach Case).
While the healthcare sector has so far not had another cyberattack as massive as the one on Anthem in February 2015, smaller hacking incidents, including ransomware attacks, continue to appear on an uptick.
In recent weeks, a number of large breaches involving ransomware-related hacking incidents were reported to federal regulators. However, so far, none of the incidents listed on the wall of shame appear to be related to the recent WannaCry or NotPetya attacks.
Recent Hacker Breaches
Among other recent incidents added to the "wall of shame" involving hacker attacks:
- Cleveland Medical Associates, based in Tennessee, reporting to HHS on June 20 a ransomware attack occurring in April that involved protected health information of 22,000 individuals.
- Family Tree Health Clinic, based in Texas, reporting to HHS on June 19 a ransomware attack occurring in April that impacted data of 13,402 individuals. A Family Tree breach notification statement says no ransom was paid and data was restored using backups.
- Torrance Memorial Medical Center, based in California, reporting to HHS on June 19 a phishing incident in April that impacted two email accounts containing personal information of potentially 46,632 individuals.
Mac McMillan, president of security consulting firm CynergisTek ,says more hacking related breaches, including those involving ransomware attacks, will undoubtedly be added to the "wall of shame" in the months to come.
"I believe we will, as the pace of these attacks is increasing, and the targets are not just the big systems," he says. "The smaller organizations are more susceptible, as many of them have fewer resources for security, are more likely to have older systems no longer supported, and less sophisticated detection and alert capabilities," he says. Ransomware "is a regular occurrence now. The good news is that only a few actually require notification [to HHS], but the disruption caused is always costly," he says.
Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy, agrees that hacking incidents, including ransomware attacks, will continue being a more frequent culprit in breaches involving health data.
"Cybercrooks go to where the most money can be made. They see that ransomware can be lucrative, and they can get away without being caught. Because of these facts there will be more cybercrooks, and more hacking," she says.
Still, there is also good news and bad news when it comes to measures being taken by covered entities and business associates to prevent breaches involving health data, she says.
"In my experience, [organizations] are doing better with facility network controls and scanning, and improved anti-malware practices. Also, I've see a good portion of covered entities improving on their encryption practices," she says.
However, "I see huge problems still with their mobile computing, with their backups and disaster recovery plans, with their lack of good and frequent information security and privacy training and accompanying awareness reminders, with controlling their Internet of Things devices and with having effective vendor/business associate security and privacy oversight management," she says.
McMillan says healthcare sector organizations need to be on their guard for more cyber assaults. "I do not see any abatement in the hacking incidents we're seeing right now. As long as they are successful, as long as organizations pay the ransom, bad actors will continue carry out their attacks."