Health Data Breach Tally Update: A Puzzling OmissionWhy Are So Few Ransomware Attacks on the 'Wall of Shame'?
So far in 2018, 15 health data breaches have been reported to federal regulators, affecting a combined total of nearly 391,000 individuals.
But despite numerous ransomware attacks in the healthcare sector grabbing headlines, relatively few such incidents are showing up on the official federal tally. That could be because organizations are inappropriately underreporting these incidents. In some cases, however, investigations may have determined the attacks did not compromise patients' protected health information.
Most of the breaches added in January to the Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website of major health data breaches - commonly called the "wall of shame" - occurred in late 2017 but were reported in recent weeks. Under HIPAA, organizations must report breaches impacting 500 or more individuals to federal regulators and affected individuals within 60 days.
So far, the three largest breaches reported in 2018 are listed as hacking/IT incidents. A variety of other breaches have been added to the tally, including six listed as unauthorized access/disclosure; three tied to losses or thefts; and two involving the improper disposal of papers and films. No ransomware attacks, however, were added.
Variety of Causes
The wide assortment of breaches serves as a reminder that entities need to stay on their toes, whether it's safeguarding electronic PHI from hackers or taking steps to prevent missteps.
The largest incident posted to the federal tally so far in 2018 was a "hacking/IT incident" impacting nearly 280,000 Medicaid patients reported by the Oklahoma State University Center for Health Sciences. A notification letter OSUCHS sent to affected individuals notes that the incident was discovered In November 2017.
The second largest breach posted was a hacking incident involving email reported jointly on Jan. 12 by Onco360 Oncology Pharmacy and CareMed Specialty Pharmacy and affecting more than 53,000 individuals.
A notification statement issued jointly by Onco360 and CareMed says that on Nov. 14, "suspicious activity involving an employee's email account was identified."
On Nov. 30, a forensic investigation determined that an unauthorized user appeared to have gained access to email accounts of three employees, the statement notes. "A detailed review of the impacted e-mail accounts was performed, and on Jan. 8, 2018, it was determined that a limited number of those emails may have contained demographic information, medication and clinical information, health insurance information and Social Security numbers of some of the patients receiving services from Onco360 and CareMed Specialty Pharmacy," according to the statement.
A "very small" but undisclosed number of individuals also may have had their financial account information impacted, the notification states. "Prompt measures were taken to address this incident, including changing email account passwords, providing additional training to employees on recognizing suspicious emails, implementing additional measures to further enhance e-mail security and reporting the incident to law enforcement," the organizations note.
Affected individuals are being offered free credit monitoring and identity protection services.
The third largest breach posted was reported on Jan. 5 by Florida's Agency for Health Care Administration, which regulates healthcare facilities and is responsible for administering Medicaid. The agency says the hacking/IT incident, which affected 30,000 individuals, involved a phishing attack on Nov. 15, 2017.
In total, a Jan. 29 snapshot of the federal breach tally shows 2,196 incidents reported since September 2009 affecting a total of nearly 177.1 million individuals. Of those, 420 breaches are reported as hacking/IT incidents affecting about 134.4 million individuals, or 76 percent of those impacted by all the breaches on the tally.
Where's the Ransomware?
Despite the rising number of hacking incidents appearing on the tally - especially over the last two years, noticeably missing from the wall of shame are many breaches reported as involving ransomware. In fact, a spreadsheet downloadable via the wall of shame that provides details of OCR's investigations into each major reported breach shows only 16 breaches that are officially described by the agency as having involved ransomware.
But a number of highly publicized healthcare incidents involving ransomware over the last two years - including 2016 incidents at Hollywood Presbyterian Medical Center and MedStar Health - are not listed on the wall of shame, despite OCR guidance issued in 2016 suggesting that most ransomware incidents involving PHI should be considered breaches.
So are ransomware breaches being underreported by healthcare entities and business associates?
"I am not surprised by the ransomware numbers," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "The HHS guidance does not say that breach notification is required - it says that a ransomware incident - usually - involves unauthorized access to PHI, and that therefore you need to go through the risk assessment exercise to determine if notice is required. In many of the more common ransomware situations, it will be feasible and appropriate to determine that the data was not misused in any way that created material risks to the patients, as long as the information was not destroyed in some way," he says.
"So, there will be lots of ransomware situations where the rule does not require notice to individuals. I don't think this is an enforcement issue at this point; it's more a question of what ransomware is actually doing and how it impacts both individual patients and health care operations. "
Susan Lucci, chief privacy officer of security and privacy consulting firm Just Associates, says she suspects there is still lingering confusion about reporting ransomware breaches to OCR and that some organizations could be simply reporting these events as a hacking incident.
"It certainly should be a clear requirement considering a government interagency report determined that there are about 4,000 ransomware attacks daily since 2016, she says. "Covered entities and business associates want to do the right thing, and confusion can contribute to misreporting."
Lucci also notes that some cyberattacks first considered as involving ransomware turn out to not actually involve extortion schemes, including the attack against Nuance (see Nuance: NotPetya Attack Was Not a Reportable Health Data Breach).
Ransomware "also highlights the importance of some of the more 'mundane' elements of the HIPAA Security Rule, like back-ups and contingency operations," Nahra notes.
"We will see these ransomware numbers go up, but that's because there are a lot of these incidents and some of them will require reporting," he says. "It is critical for covered entities and business associates to pay attention to the kinds of things that are being reported along with media reports and other things that may touch on other incidents that do not get reported as a means of staying on top of appropriate security practices and guarding against 'common' problems. "