Health Breach Tally to Pass 20 Million

3 Incidents Affecting 1.3 Million Not Yet on List
Health Breach Tally to Pass 20 Million

After a quiet start to the year, the federal tally of individuals affected by major healthcare information breaches soon could exceed 20 million once three recent incidents are added. For now, the tally includes 410 incidents affecting almost 19.2 million individuals since September 2009.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

As of April 24, the breach list includes only four 2012 incidents affecting a total of about 31,000. Not yet on the tally, however, are these three recent significant breaches:

  • A Utah Department of Health hacking incident affecting 780,000 individuals, including Medicaid clients, Children's Health Insurance Plan recipients and others;
  • An Emory Healthcare breach involving 10 missing computer disks, affecting 315,000 surgical patients;
  • A South Carolina Department of Health and Human Services breach affecting 228,000 Medicaid recipients. The incident involved a now-fired employee who was arrested for allegedly transferring patient information to his personal e-mail account.

The Department of Health and Human Services' Office for Civil Rights adds breaches to its "wall of shame" tally after it conducts an investigation and confirms the details. The list tracks breaches affecting 500 or more individuals that have occurred since late September 2009, when the HITECH Act-mandated breach notification rule went into effect.

Hacking Incidents Relatively Rare

About 55 percent of all the major breaches reported since the rule went into effect have involved lost or stolen unencrypted electronic devices or media. By comparison, only about 7 percent have involving a hacker attack.

The Utah Department of Health breach incident is, by far, the largest of the about 30 hacking incidents on the list of major breaches. And it's an important eye-opener, says security consultant Rebecca Herold of Rebecca Herold & Associates (see: Utah Hack Attack: Lessons Learned). "This incident should make it clear to business leaders, in all types of organizations, that there are hackers out there who are keeping an eye on systems that they view as prime targets yielding huge goldmines of data if they can find one hole to slip through," she says.

Adam Greene, a former OCR official and now a partner at the law firm Davis Wright Tremaine, is surprised there haven't been more hacking incidents added to the list of major breaches. Some criminals consider health information to be far more valuable than financial information, he notes. The stolen information could pave the way for submitting false healthcare claims in bulk, and health insurance information also could be used to fraudulently obtain treatment. "I have had concerns that there could be more hacking incidents that are going undetected," he says.

Preventing Hacker Attacks

In the Utah incident, authorities said the hacking attack was made possible because of a problem with protecting a state server. "In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system," according to a Utah Department of Health statement. The state's Department of Technology Services, which managed the server, "has processes in place to ensure the state's data is secure, but this particular server was not configured according to normal procedure."

Such failures to follow procedures are common among healthcare organizations, Herold contends. "I believe such mistakes, oversights, and outright 'Well, no one's going to catch this' types of situations are likely widespread," she says.

It's very easy for mistakes to occur within the network security architecture of a complex set of systems," Herold notes. "And there will always be some humans involved who are tempted to bypass important security controls because they slow them down, are cumbersome to follow, take too long to perform or they simply believe that no one will ever be able to find such a vulnerability."

Greene stresses that, in light of the Utah incident, organizations should "consider technical methods of monitoring server and desktop configurations to ensure that security controls are uniformly applied and maintained."

The Utah incident also points to the value of encryption. If the information on the server was protected by encryption, the hacking incident would not even have had to be reported under the breach rule.

Greene also notes that another good breach prevention measure is to conduct a comprehensive risk assessment. Plus, he says launching an ongoing evaluation program that includes vulnerability and penetration testing also helps guard against hackers.

Seven Anti-Hacking Tips

Herold suggests seven steps to thwart hacker attacks:

  • Have well-documented systems and applications procedures - and supporting standards - in place that are consistently followed;
  • Provide training and ongoing awareness for the procedures and standards;
  • Log changes consistently, have teams responsible for reviewing the logs and maintain the logs for an appropriate period of time;
  • Perform ongoing audits to catch configuration errors;
  • Have a change control process in place to help keep the mistakes of individuals from being put into production;
  • Implement intrusion detection systems and intrusion prevention systems;
  • Engage independent third parties to perform periodic vulnerability scans and penetration tests.

  • About the Author

    Howard Anderson

    Howard Anderson

    News Editor, ISMG

    Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




    Around the Network

    Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.