Health Data Breach Tally SurgesVictim Count in Magellan Health's April Ransomware Attack Still Climbing
The tally of major health data breaches has spiked in recent weeks. The number of individuals affected by the ransomware attack on Magellan Health, a managed care firm, continues to grow. Meanwhile, other large hacking incidents have been added to the federal breach reporting website.
As of Thursday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows 302 major health breaches impacting nearly 8.7 million individuals have been added to the tally so far in 2020. That's significant growth since July 9, when the tally listed 250 breaches affecting about 5.4 million individuals added this year.
The HHS website, also commonly called the "wall of shame" lists health data breaches affecting 500 or more individuals.
The ransomware attack that Magellan disclosed in May is the largest incident added to the tally this year - and its impact may continue to grow. As of Aug. 13, the tally says it has affected nearly 1.7 million individuals.
Since June, nearly a dozen individual breach reports filed by various Magellan units and other related companies affected by the ransomware incident have been posted to the HHS site (see: Victim Count in Magellan Ransomware Incident Soars). The latest to be added were reported by health plan Magellan Health Inc., with more than 1 million individuals affected, and Magellan Rx Management, which reported nearly 315,000 individuals impacted.
In a statement provided to Information Security Media Group, Magellan says it has investigated the incident with forensic experts; notified affected customers, individuals and employees; and alerted government agencies and law enforcement authorities. "We have taken a number of additional measures to further strengthen our security policies and protocols," the statement adds.
The ransomware incident affected multiple Magellan entities, and each has filed its own breach report. But Magellan did not respond to ISMG's request for additional details on whether additional breach reports are still pending.
Some 189 breaches added to the tally so far this year are listed as IT/hacking incidents, affecting a total of nearly 6.9 million individuals - or about 80% of all those affected by breaches posted in 2020.
Ransomware was the culprit in many of these breaches. That includes an incident affecting nearly 130,000 individuals reported on July 27 by Springfield, Mass.-based Behavioral Health Network, a provider of mental health services.
BHN says in a notification statement that a hacker placed malware within its environment that disrupted the operation of certain systems. The hacker may have had access to certain files within these systems containing patients' names, addresses, dates of birth, Social Security numbers, medical/diagnosis/treatment information and/or health insurance claim information.
The HHS tally also shows 19 breaches involving lost/stolen unencrypted computing devices, affecting a total of nearly 792,000 individuals, have been added this year. Also, 73 unauthorized access/disclosure breaches affecting nearly 389,000 individuals have been posted.
Since 2009, when the tally began, 3,369 breaches affecting 247.5 million individuals have been tracked.
Some experts predict that hacking incidents - including those involving ransomware - will continue to dominate the federal tally.
Because of COVID-19 response efforts - and the surge in remote workers and telehealth - some breaches - including those involving coronavirus-themed phishing attacks and other related scams - could take longer to detect and ultimately report to regulators.
"Since breaches are often not discovered until months after the fact, we should expect to see breach reports at this level continue after the pandemic has subsided," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"Healthcare workers are stressed and likely to continue to be taken in by phishing emails," she adds.
Keith Fricke, principal consultant at tw-Security, observes: "With hospital IT departments' focus on setting up workers to work from home back when COVID started surging, some breaches may have occurred that have yet to be discovered. Additionally, trends are on the rise for criminals to steal data before launching ransomware attacks. They threaten to publish stolen data on the internet if a ransom is not paid."
A critical breach prevention step in the current environment is to use two-factor authentication to help prevent criminals from compromising business email accounts that can be used to launch ransomware phishing campaigns, Fricke notes.
"Educating the workforce on phishing through internally conducted phishing campaigns, tracking click rates, and targeted phishing awareness is an important way to prevent ransomware incidents," he adds.
He also notes that "incident playbooks are necessary to ensure efficient and competent response. Organizations should perform tabletop exercises periodically to test playbooks and rehearse response capability."