Breach Tally: HIPAA Omnibus' ImpactHave New Reporting Guidelines Affected 'Wall of Shame' Tally?
It's been two years since enforcement of the HIPAA Omnibus Rule's modified breach notification requirements began. But the most significant changes on the federal tally of major health data breaches since then appear to have more to do with a surge in hacker activity than the new requirements under HIPAA Omnibus.
See Also: HIPAA Audits: A Revised Game Plan
As of Sept. 29, the Department of Health and Human Services' Office of Civil Rights' "wall of shame" website listing breaches impacting 500 or more individuals shows 1,338 breaches affecting a total of 153.8 million individuals since September 2009.
When the breach notification rule was modified under HIPAA Omnibus, some experts predicted the number of breaches reported would surge because of its new, more objective, requirements. Indeed, there was as surge in the first year after enforcement began. But since then, growth in the number of breaches reported has substantially leveled off. Significantly, however, a handful of recent mega-breaches involving hackers have affected many millions of victims.
The total number of breaches on the tally has nearly doubled since Sept. 23, 2013, when HIPAA Omnibus enforcement kicked in, but the number of individuals affected is up almost five-fold (see After HIPAA Omnibus, Breach Tally Spikes). In the last 12 months, however, the total number of breaches grew by only about 19 percent, but the total number of individuals tripled, largely due the hacker attacks.
The 10 largest breaches in 2015 have all involved hackers, affecting a total of 111.2 million individuals. Of those, the top five breaches alone affected more than 108 million individuals, including the cyberattack on Anthem Inc., which affected about 79 million, and the hacker attack on Premera Blue Cross, which impacted 11 million.
The third largest breach since 2009 was added to the list just this month: The cyberattack on Excellus BlueCross BlueShield that was revealed by the health plan earlier this month, which affected 10 million individuals.
Top Five HIPAA Breaches So Far in 2015
Analyzing the Trends
"We are seeing more big data breaches mainly because they are happening more often as cybercriminals recognize the commercial value of the data," notes privacy and security expert Kate Borten, founder of the consulting firm The Marblehead Group. "While clarifying the breach determination process is likely to have resulted in more reported breaches, the fact is that there continue to be many more small and midsize breaches than large ones."
Under the modified breach notification rule, security incidents are now presumed to be reportable breaches unless organizations demonstrate through a four-factor assessment that risks of compromise to protected health information is low. Prior to the rule modifications, reportable incidents were determined more subjectively, based on whether the incident was likely to cause an individual reputational, financial or other harm.
"In my own experience dealing with clients, people are taking the [modified breach notification rule] seriously," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "But what's less clear is whether what's being reported would've been reported anyway. Overall, I don't think it's made much impact. We're still seeing plenty of modest-sized breaches, but the most significant breaches we're seeing now have been due to hackers."
Breaches Tied to Mistakes Continue
Despite tens of millions of individuals being affected by fewer than a dozen of the 200-plus breaches that have been added to the Wall of Shame within the last 12 months, more incidents involving mistakes by organizations are still showing up on the tally, says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"What is surprising to me is that we are not seeing overall reductions in the gross numbers of reportable breaches due to theft and loss of [unencrypted] media and devices," he says. "With the increased attention, awareness and availability of user-friendly, affordable encryption solutions, these types of breaches are eminently preventable. Yet, they continue to be occur at an alarming rate."
Nevertheless, some experts predict that a relatively small number of new mega-hacking incidents will continue to account for the majority of breach victims in the months and years ahead.
"We expect more hacking attacks to be reported during the remainder of 2015 and well into 2016," says Dan Berger, CEO of security consulting firm Redspin.
Holtzman agrees with that prediction. "Indications are that organizations with large networks associated with health insurers are performing retrospective forensic audits in which they are discovering that their systems had been infiltrated months earlier," he notes. "I expect to see additional reporting of these incidents as they are discovered." That was the case with both the Excellus and CareFirst Blue Cross Blue Shield breaches. In both situations, the health plans belatedly discovered they too were victims of cyberattacks after hiring a third-party to perform a forensic review of their systems following the hacker attack on Anthem.
Healthcare entities and business associates can take a number of steps to improve breach prevention, experts say.
"To combat this, first acknowledge the problem: Healthcare organizations currently underspend on security," Berger says. "Those days are over. We recommend looking beyond the HIPAA security risk assessment to more direct security testing, such as penetration testing and social engineering."
Holtzman emphasizes that health systems "must do a better job of protecting the enterprise, hardening their systems, enhancing detection capabilities of networks, testing application environments and increasing the education of its workforce."
Breach detection and reporting is still a weak area for many entities, Borten contends. "I believe many, if not most, breaches are still going undetected," she says. "And in spite of the HIPAA Omnibus Rule clarification on breach determination, some organizations continue to misinterpret security and privacy incidents and underreport."