Hacking Incidents, Vendor Breaches Keep SurgingAnalysis of Health Data Breach Trends So Far in 2021
Hacking incidents - including ransomware attacks, phishing scams and messy episodes involving vendors - are still the dominant culprits in major health data breaches being reported to federal regulators so far this year.
As of Monday, the Department of Health and Human Service's HIPAA Breach Reporting Tool website shows 89 major health data breaches affecting a total of more than 7.3 million individuals so far in 2021.
Of those, 60 breaches - or more than two-thirds - were reported as hacking/IT incidents affecting nearly 7.07 million individuals, or nearly 97% of individuals affected so far this year by health data breaches that had an impact on 500 or more individuals.
Business associates were reported as being "present" in 26 of the health data breaches, affecting about 5.3 million individuals, posted to the federal tally since the beginning of the year.
The heavy trend so far in 2021 of major health data breaches involving hacking incidents and vendors follows a pattern that also played out during much of 2020 (see: Analysis: 2020 Health Data Breach Trends).
Unfortunately, these trends will only continue and even exacerbate, some experts predict.
"It is likely to get worse before it gets better, with the global pandemic causing an expansion in private data use cases," says Jim Van Dyke, senior vice president of financial wellness at security vendor Sontiq, which recently acquired security firm Breach Clarity, where Van Dyke was CEO.
Healthcare providers and vendors need to be on the highest alert to safeguard health data, which now appears to be a favorite target for hackers and other cybercriminals, he notes.
"The internet can be a harsh and cruel context in which to have one’s most personal secrets exposed," he says.
"Update software settings, patches and passwords. Educate all team members on the latest scams, and test them to ensure their exposure to scams first comes via internal testing rather than an external bad actor." Van Dyke also notes that human engineering is a growing tactic used in security incidents hitting the healthcare sector.
As of Monday, a hacking/IT incident involving a business associate reported on Jan. 29 by children's health and dental plan Florida Healthy Kids Corp., affecting 3.5 million individuals, topped the federal tally as the largest health data breach so far posted in 2021.
In a breach notification statement, Tallahassee, Florida-based Florida Healthy Kids Corp. says a vendor that hosted its website failed to address vulnerabilities over a seven-year period, resulting in the exposure of patient data. Hackers also tampered with some of data, the health plan says in its statement.
The second-largest breach recently added to the tally also involves a hacking/IT incident and a business associate. That incident, affecting nearly 1.27 million individuals, was reported to HHS on Jan. 8 by New York-based American Anesthesiology Inc.
In a notification statement, American Anesthesiology says the breach involved a June 2020 phishing incident discovered on July 16 at MEDNAX Services Inc., a service provider and business associate of the anesthesiology practice.
MEDNAX, which previously owned American Anesthesiology before selling the practice to North American Partners in Anesthesia last May, reported a similar hacking incident to HHS in December 2020 an said it affected about 1.3 million individuals.
Neither American Anesthesiology nor MEDNEX immediately responded to Information Security Media Group's requests for clarification about whether the two hacking incidents reported separately by American Anesthesiology and MEDNAX were the same breach or related breaches.
Also added to the tally was a breach affecting 368,000 individuals, involving the Accellion hacking incident, reported to HHS by supermarket and pharmacy chain Kroger on Feb. 19 (see: More Health Data Breaches Tied to Vendor Incidents).
Hacking/IT incidents involving ransomware attacks - including some also involving vendors - have also been added to the federal tally in recent weeks.
For instance, Texas-based Hendrick Health on Feb. 19 reported a hacking IT incident involving ransomware affecting 640,000 individuals. That incident is the third-largest health data breach posted to the federal tally so far in 2021.
Another recent ransomware incident involving vendors is a breach reported on March 5 by Woodcreek Provider Services, a business associate that provides medical practice management services to Tacoma, Washington-based MultiCare Health System.
That incident, which affected more than 207,000 MultiCare patients, providers and employees, involved a December ransomware attack on Woodcreek's cloud technology services vendor, Netgain Technology.
Unauthorized Access/Disclosure Breaches
The second most common type of health data breach reported in 2021 so far is “unauthorized access/disclosure” incidents. As of Monday, 23 such incidents, affecting nearly 236,000 individuals, have been reported in 2021.
Some of the breaches reported by entities as unauthorized access/disclosure incidents, however, appear to have involved hacking episodes.
They include the largest unauthorized access/disclosure breach posted in 2021 was reported on Feb. 26 by Summit Behavioral Healthcare, a Tennessee-based provider of mental and behavioral health treatment.
That incident, reported by Summit as affecting nearly 71,000 individuals, appears to have involved a phishing incident resulting in unauthorized access to two employees' email accounts, according the entity's statement.
Some experts note that breaches involving sensitive information, such as mental health records, are especially worrisome.
"Behavioral health encounters carry the most private thoughts and concerns of an individual," says Susan Lucci, senior privacy and security consultant at consulting firm tw-Security.
"If this trust is broken due to a security incident, the individual seeking guidance may not continue with the provider. HIPAA and other privacy rules have always carried stricter requirements to do more to protect these records from unauthorized access."
All behavioral healthcare providers should exercise critical security steps to be sure that data is protected whether at rest or in transit, Lucci says.
For instance, "extra educational reminders for the workforce illustrating the numerous evolving methods cybercriminals will try to trick people into clicking on a link need to occur more frequently."
The remainder of breaches posted so far in 2021 were a half-dozen “loss” and “theft” breaches affecting a total of about 7,300 individuals and involving mostly paper/film records.
As of Monday, the HHS Office for Civil Rights' website, launched in September 2009, listed 3,810 major health data breaches affecting a total of nearly 278.4 million individuals.
Of those, 934 breaches affecting nearly 90.6 million individuals involved a business associate.
To date, 1,412 breaches affecting 223.5 million individuals that have been posted to the HHS website since 2009 reportedly involved hacking/IT incidents.
Still, the largest health data breach posted to the HHS website to date is a hacking incident affecting nearly 79 million individuals reported in February 2015 by health insurer Anthem.