Analyzing Health Data Breach TrendsFewer Individuals Affected in 2012; What's Ahead for 2013?
Far fewer individuals were affected by health data breaches last year than in 2011, based on the current federal "wall of shame" tally of major breaches.
Because the Department of Health and Human Services adds incidents to its tally as it confirms details, the 2012 list could continue to grow. But as of Feb. 21, the list of major breaches (those affecting 500 or more individuals) shows that incidents that began in 2012 totaled about 125 and affected about 2.2 million individuals. By comparison the tally lists more than 150 incidents that began in 2011, affecting almost 11 million individuals.
One huge factor in the drop in the number of breach victims in 2012 was a big decline in mega-breaches. In 2011, the five largest breaches affected a combined total of more than 9 million individuals. In 2012, the five largest incidents affected a total of less than 1.5 million people.
Since September 2009, when HHS began its tally, it has posted 543 breaches affecting more than 21.5 million. Of those breaches, more than half involved the loss or theft of unencrypted computing devices or storage media.
Six out of seven breaches added to the tally in the past month involved theft of unencrypted devices. In total, the seven breaches added to list affected about 45,000 individuals.
The Threats Ahead
Dan Berger, CEO of IT security services provider Redspin, says ramped-up HIPAA enforcement is playing an important role in motivating organizations to take breach prevention steps. The HHS Office for Civil Rights in 2012 announced several multi-million dollar penalties stemming from breach investigations (see: Another Big Fine After a Small Breach).
But Berger and other observers warn that although wider use of encryption could lead to fewer breaches tied to lost or stolen devices in the months ahead, hacking incidents could become more common.
In fact, the largest 2012 breach on the federal tally was a hacking incident at the Utah Department of Health that affected 780,000 individuals (see: Utah Health Breach Affects 780,000). In that incident, hackers from Eastern Europe attacked a Utah state server containing claims data for Medicaid and Children's Health Insurance Plan beneficiaries.
"That was the canary in the coal mine," Berger says.
Only about 6 percent of breaches on the federal tally, which tracks incidents since September 2009, have involved hacking, Berger notes. But he believes that's largely because these incidents often go undetected. Many organizations don't regularly run scans that can detect suspicious activities or don't follow up on investigating anomalies if they're found, he contends.
"Hacker attacks are likely to increase in frequency over the next few years. Personal health records are high value targets for cybercriminals as they can be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous hoaxes," according to a new Redspin breach trends report.
Andrew Litt, M.D. chief medical officer at computer manufacturer Dell Inc., offers a similar perspective. "There's increasing recognition that hospitals are a target of hackers, and that the risk is increasing," he says.
Hospitals are increasingly seen as targets for hackers looking to tap computing resources "as a testing ground or conduit" for launching attacks against larger entities, including insurers, to which hospital systems are connected, Litt contends.
In addition, hackers or others could "come in and hold records hostage" in situations involving business disputes, says privacy attorney Marcy Wilder of the law firm Hogan Lovell. As a result, healthcare organizations need to keep a careful eye on their supply chain partners, says Harriet Pearson, another attorney with the firm. "There are so many providers and vendors in healthcare services, the chain is only as good as the weakest link," she says.
Among other steps that organizations can take to prevent hacking attacks are implementing frequent penetration testing and vulnerability assessments, Berger suggests.
Besides external hacker threats, healthcare organizations face the risk of unauthorized access to records by staff members.
For example, another one of the largest 2012 breaches involved unauthorized access to information on 228,000 individuals at the South Carolina Department of Health and Human Services (see: Arrest in S.C. Medicaid Info Breach).
On Feb. 20, South Carolina Attorney General Alan Wilson announced indictments against two people - including a former state health department employee - in connection with the unlawful access and use of confidential records. So far, authorities have not disclosed whether ID theft or other fraud was involved.
Patient data is an attractive target for hackers and others looking to profit. "On the black market, the value is about $50 per health record," Litt says. The information can be sold by hackers for use by others to commit ID theft and other fraud.
Steps organizations can take to address insider threats include limiting employee access to patient information, improving worker training on privacy policies and consequences for violations and deploying auditing tools that flag suspicious activities or unauthorized access (see: Arrests, Lawsuit in Hospital ID Thefts).
Impact of HIPAA Omnibus
The recently released HIPAA Omnibus rule includes more extensive, objective breach notification guidelines. Some observers predict the number of breach notifications will grow as organizations apply the guidance, which spells out how to assess whether an incident likely resulted in data being compromised.
Also under HIPAA Omnibus, business associates and their subcontractors must be HIPAA compliant - and more companies fall under the newly expanded business associate definition.
About 21 percent of all breaches on the federal tally have involved business associates.