Health Data Breach Tally: The Latest AdditionsLargest Incident: Break-In at California State Agency That Affected 582,000
The number of health data breach victims added to the official federal tally so far in 2018 has doubled in recent weeks to more than 2 million. The largest breach of the year so far, which was recently added to the tally, involved a break-in at a California government office that affected 582,000 individuals.
As of Thursday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website - commonly called the "wall of shame" - showed that 124 breaches have been reported to HHS so far in 2018. About 30 percent of those breaches - 38 incidents - have been posted to the website since April 17, the last time Information Security Media Group analyzed the federal breach tally (see Health Data Breach Tally Spikes in Recent Weeks.)
The May 17 snapshot shows that since 2009, when federal regulators began keeping a tally, 2,306 breaches impacting more than 262.4 million individuals have been posted to the wall of shame.
By far the largest of breach ever posted on the wall of shame is a hacking incident reported in 2015 by health insurer Anthem Inc., which impacted 78.8 million individuals.
Five Largest 2018 Breaches, So Far
|Name of Entity
|California Dept. of Developmental Services
|Oklahoma State University Center for Health Sciences
|St. Peter's Ambulatory Surgery Center
|Center for Orthopaedic Specialists
|Tufts Associated Health Maintenance Organization
Biggest 2018 Breach
The biggest contributor over the last month to the spike in breach victims was a February break-in at the California Department of Developmental Services.
The agency report the "unauthorized access/disclosure" incident to OCR in April.
In a statement posted on the agency's site, DDS says "trespassers ransacked files, vandalized and stole state property and started a fire" at the agency's Sacramento legal and auditing offices.
After the break-in, DDS discovered a number of paper documents and compact discs were either displaced or damaged from the fire and the sprinklers. DDS says it has no evidence that personal and health information was compromised due to the incident. But the offices contained PHI of about 582,000 individuals, plus personal information of about 15,000 employees at the agency's regional centers, service providers, and applicants seeking employment with the department, the statement says.
Also stolen in the break-in were 12 laptop computers owned by the state. Those computers, however, were encrypted, the statement notes.
The agency says it's notifying all individuals whose data may have been compromised in the incident. "The department will enhance building security safeguards and our procedures and practices, and will work towards reducing any potential risks arising from this incident and preventing any future incidents," the statement says.
The incident involving the California DDS is one of 57 breaches reported in 2018 so far that are described as "unauthorized access/disclosure" cases. In total, those incidents have impacted 1.1 million individuals; about half of those breach victims were impacted by the California DDS break-in.
Meanwhile, the wall of shame shows 36 hacking/IT incidents posted so far in 2018, impacting about 41 percent of the total number of people affected - or about 812,000 individuals.
The second largest incident posted to the federal tally so far in 2018 - and the biggest "hacking/IT incident" posted to date this year - was reported by the Oklahoma State University Center for Health Sciences. That incident, reported in January but discovered in November 2017, impacted nearly 280,000 Medicaid patients.
Another hacking incident recently posted on the wall of shame is a breach impacting nearly 82,000 individuals reported by the California-based Center for Orthopaedics Specialists on April 18.
Thefts and Losses
Another common cause of breaches posted on the wall of shame so far this year are losses or thefts. So far this year, 27 such incidents impacting a total of 79,000 individuals have been listed. Of those, 21 incidents involved laptops and other electronic devices. The rest involved paper/film.
While the wall of shame is still splattered with 2018 breach reports involving the loss or theft of unencrypted computing devices, far fewer of those major incidents are being reported now compared to several years ago when those cases were the No. 1 culprit in many of the largest breaches appearing "wall of shame" breaches.
The wall of shame has likely seen fewer big breaches in recent years involving lost or stolen unencrypted devices because of improved awareness and security practices involving mobile devices. But organizations must guard against becoming complacent, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"Increased encryption is great, and long overdue. This must continue to increase," she says. "But CEs cannot stop there; they must continue to use more encryption in all the new types of devices. Also, just because encryption is used doesn't mean that incidents will not occur," she notes.
In the meantime, healthcare organizations continue to be targets for hacker attacks and other cyber incidents.
"Covered entities are using a larger variety of computing devices than ever before. They are generating more PHI than ever before with more types of medical devices," Herold says.
"Medical device creators have not been proactive in building security controls into those devices, so the providers using them are dealing with more new and emerging types of risks being introduced into their networks, often with unexpected security incident impacts," she adds.
"There are now more business associates used than ever before to support CEs, but ... a large portion of those BAs are not sufficiently protecting the PHI that has been entrusted to them."