Breach Tally Shows More Hacker AttacksPhishing Scams Among Newly Listed Healthcare Incidents
The official federal tally of major health data breaches shows that the healthcare sector continues to be a growing target for hackers, including those waging phishing attacks.
As of April 29, the Department of Health and Human Service's "wall of shame" website of breaches affecting 500 or more individuals shows 1,213 incidents affecting more than 133.2 million individuals since September 2009, when the HIPAA breach notification rule went into effect. One incident, the recent hacking attack against health insurer Anthem Inc., accounts for 78.8 million of those victims.
Among the breaches most recently added to the list is an incident involving phishing email targeted at employees of St. Agnes Health Care Inc. in Baltimore.
The incident, which was reported to HHS on April 24, affected nearly 25,000 individuals. The organization says in a statement that information exposed in the hacker attack includes patient names, dates of birth, medical record numbers, insurance information, limited clinical information and in some cases, Social Security numbers.
"Through a fraudulent email communication, sophisticated hackers gained access to protected health information contained in an employee email account," the healthcare provider says. "The user name and password for the email account was immediately shut down, and Saint Agnes launched a thorough investigation into the matter. Saint Agnes engaged computer forensics experts who were able to conduct an analysis of what information was included in the affected email account. The analysis involved manual and electronic review of the information to determine the scope of the incident and identify all individuals affected."
Other healthcare entities have also been defending against a spike in phishing schemes. Over the last six months, the University of Vermont Medical Center has seen an uptick in phishing attempts, including those "laced with malware in an attempt to steal credentials," says CISO Heather Roszkowski in a recent interview with Information Security Media Group.
"I've really been trying to increase user awareness training around phishing to avoid those credentials from being exploited," she says. This extra vigilance in defense of phishing comes in the wake of massive hacking attacks in the healthcare sector, including those affecting Anthem, Premera Blue Cross and Community Health System.
Besides the hacking attack on St. Agnes, several other phishing incidents have been added to the federal breach tally in recent weeks. Those include a phishing incident discovered in February but disclosed last week by Seton Family of Hospitals in Texas, affecting 39,000 individuals. The Dec. 4, 2014, phishing attack targeted the user names and passwords of Seton employees, the organization says in a statement.
"Upon the determination that an email account had been compromised, the user name and password was immediately shut down," the statement says. Affected patient data includes demographic information, such as name, address, gender, date of birth, and also medical record numbers, insurance information, limited clinical information and, in some cases, Social Security numbers. "The hackers did not gain access to individual medical records or billing records."
Another phishing-related attack added to the tally affected about 760 patients at St. Vincent Medical Group in Indiana, which, like Seton, is also part of Ascension Health System (see Phishing Leads to Healthcare Breach).
Some of the other recently added breaches listed on the federal tally appear to be part of the massive hacking attack on Anthem earlier this year, which affected data the insurer stored from certain other health plans.
For example, a breach reported by the Virginia Department of Medical Assistance Services, or VA-DMAS, a health plan, is listed on the federal website as a hacking incident involving a network server and affecting more than 697,00 individuals. However, a VA-DMAS spokesman explains to Information Security Media Group that "DMAS as a covered entity ... posted 697,586 to identify the Virginia residents that were affected by the Anthem breach and the number is included in the [nearly] 80 million [victims] that Anthem posted. DMAS wanted to ensure that [HHS] Office of Civil Rights knew that DMAS is communicating with Anthem to ensure protocols were followed appropriately."
The DMAS spokesman explains: "Anthem is DMAS' only statewide health plan provider for our managed care program. They are also the largest of our six Medicaid health plan providers. Unrelated to the issue of Medicaid - Anthem is also the primary provider to the Commonwealth of Virginia state employees' health plan."
Another hacking incident linked to the Anthem breach, now listed on the federal tally, is a breach reported by health plan Freelancers Insurance Company of New York. That incident affected 43,000 individuals. Freelancers Insurance Co. uses the BlueCross BlueShield BlueCard PPO network of doctors, hospitals, and other medical providers. Anthem says BlueCard members were impacted by the Anthem breach.
"It appears that most hacking incidents involve health plans," says privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group. "Hackers are learning that health plans are rich data sources." The spike in hacking-related incidents posted on the federal tally "also may be due, in part, to better recognition and reporting of these breaches," she adds.
While hacking attacks grab headlines, unauthorized access and disclosure breaches continue to be a big problem, too. As of February, about 19 percent of major breaches were attributed to such incidents, versus about 7 percent being related to hacking attacks, according to OCR.
One such case added to the tally in April is an identity theft incident reported by the City of Philadelphia Fire Department Emergency Medical Services Unit . In that breach, approximately 81,000 individuals were impacted by unauthorized access to informaiton by a former employee of the firm providing billing services to the department's ambulance unit.
Borten expects the reporting of all types of health data breaches, including those involving cybercrime, to continue to climb.
"I believe we will continue to see the number of reported breaches rise, despite stronger efforts to protect data," she says. "First, the HIPAA Omnibus Rule clarified the breach definition and left little room for doubt with its presumption of breach. Second, personally identifiable health data continues to have high street value, leading to more attacks."