Breach Notification , HIPAA/HITECH , Incident & Breach Response
Health Data Breach Tally Update: Top Causes
An Analysis of the Latest Trends - and What's AheadHacker attacks, IT mishaps and vendor errors are among the top causes of the largest health data breaches added to the official federal tally so far this year.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
A Friday snapshot of the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website shows 429 breaches affecting a total of more than 40 million individuals have been added to the tally so far this year.
Some 2,982 breaches affecting more than 231 million individuals have been posted on the HHS health data breach website since 2009. Commonly called the "wall of shame," the website lists breaches affecting 500 or more individuals.
2019 Trends Playing Out
Of breaches posted in 2019 so far, 252 are reported as a “hacking/IT incident,” and those affected a total of more than 35 million individuals – or about 88 percent of all those affected by breaches added to the tally.
What HHS labels as “hacking/IT incidents” go beyond cyberattacks; they include a variety of IT mishaps, including breaches involving misconfigured databases and server settings.
Two of the largest of those incidents are a breach reported in June by health plan administrator Dominion Dental Services impacting 3 million plan members of its client, Oregon-based Providence Health Plan, and an incident reported in April by Inmediata Health Group affecting nearly 1.6 million individuals.
Among other recent additions to the tally: Some 15 breaches reported by Texas Health Resources’ hospitals affecting more than 83,000 patients that are all tied to the same misconfigured billing system.
BA Breaches
Business associates were involved in several big breaches reported to HHS in 2019.
Of breaches posted to the federal tally so far in 2019, about one-quarter were reported as having a BA “present.” But those breaches affected a total of nearly 25 million individuals – or more than 60 percent of those affected by breaches reported so far in 2019.
The largest of those vendor-related incidents are some two dozen breaches affecting more than 20 million individuals reported by healthcare clients – predominately medical testing labs - of American Medical Collection Agency, which in June revealed a hacking incident.
10 Largest Health Data Breaches Reported So Far in 2019
Breached Entity | Individuals Affected |
---|---|
Optum360 (on behalf of Quest Diagnostics) | 11.5 million |
Laboratory Corporation of America | 10.3 million |
Dominion Dental Services | 3 million |
Clinical Pathology Labs | 1.7 million |
Inmediata Health Group | 1.6 million |
UW Medicine | 973,000 |
Women's Care Florida | 529,000 |
CareCentrix | 468,000 |
Intramural Practice Plan - Medical Sciences Campus - University of Puerto Rico | 440,000 |
BioReference Laboratories | 426,000 |
Other Breaches
In 2019 so far, 128 breaches reported as “unauthorized access/disclosure” incidents have affected 4.5 million individuals, or about 15 percent of those people affected.
The silver lining on the federal tally is that breaches involving lost or stolen unencrypted devices continue to fall. So far, only 27 incidents involving lost/stolen unencrypted devices impacting about 217,000 individuals have been added to the tally this year.
Recent Additions
Among the largest breaches added to the tally in recent weeks was a hacking/IT incident involving a network server and impacting nearly 440,000 individuals reported on Sept. 16 by the Intramural Practice Plan of on the Medical Sciences Campus of the University of Puerto Rico.
No breach notification statement about the incident appears to have been issued by the university or practice plan, and they did not immediately respond to an Information Security Media Group request for information about the incident.
That incident now ranks as the ninth largest health data breach posted to the tally this year.
Also added to the tally in recent weeks was a hacking/IT incident reported on Nov. 1 by Provo, Utah based Utah Valley Eye Center impacting more than 20,000 individuals. That breach involved a misconfigured third-party vendor appointment reminder portal.
Another recent add to the tally is a phishing attack that impacted 140,000 individuals reported on Oct. 22 by Montana-based Kalispell Regional Healthcare.
Also recently added: a breach affecting 19,000 individuals reported on Oct. 28 by Columbia, S.C-based Prisma Health – Midlands.
In a statement, the organization says the incident involved the compromise of a Prisma Health team member’s login credentials. “Prisma Health determined that the compromised login credentials provided access to patient pre-registration and volunteer registration information forms previously completed on the Palmetto Health website,” the statement notes.
Taking Action
So what health data breach trends are on the horizon for the year ahead?
”I believe we will continue to see hacking/IT incidents leading the way at least in terms of the biggest breaches,” predicts Jon Moore, chief risk officer at privacy and security consulting firm Clearwater.
”Information technology continues to expand in scale and complexity. That means the attack surface is expanding for hackers and also that it's likely that mistakes, like misconfigured servers, will occur, exposing electronic protected health information. In addition, these types of incidents usually involve information system components that contain relatively large numbers of records.”
Organizations should remain mindful about the breach risks posed by their vendors, Moore adds. Cybersecurity supply chain risk is a growing concern.
”The first steps are to understand, treat and manage the risks associated with your organization’s business associates/vendors. That said, there is no way to completely avoid all risk unless you elect not to enter into the relationship at all,” Moore says.
“Best practices are to contractually obligate the BA/vendor to have an incident response process in place as well as a requirement that your organization is notified in a timely manner. For those relationships that pose a significant risk, response and recovery planning and testing should be done in coordination with the BA/vendor.”