Health Data Breach Tally's 2021 Surge ContinuesRansomware Attacks Continue to Plague the Sector
Another big wave of large breaches stemming from hacking incidents, including ransomware attacks, has flooded the federal tally of major health data breaches in recent weeks.
Nearly 100 new breaches have been posted to the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
As of Thursday, the HHS Office for Civil Rights website showed 251 major breaches had been added to the tally so far this year, affecting a total of nearly 17.3 million individuals.
That’s a big jump since April 19, when the tally listed 159 breaches affecting a combined total of 12.5 million individuals (see: What Are Reasons Behind Health Data Breach Surge?).
"The HHS data shows that - so far in 2021- over 1 in 20 U.S. adults were the victims of a healthcare breach," says Jim Van Dyke, senior vice president at security vendor Sontiq.
"We need to make ourselves constantly aware of how these breaches fuel identity crimes - and most importantly, what organizations and consumers alike can do to stop the inevitable data breach from becoming an identity crime that creates real, personal losses," he says.
Of the breaches posted to the tally so far this year, 174 - or nearly 70% - were reported as “hacking/IT incidents” affecting 16.5 million individuals, or about 95% of those people affected by breaches tallied in 2021.
The largest breach added to the tally in recent weeks is a hacking incident reported to HHS on May 5 by San Antonio, Texas-based NEC Networks, which does business as CaptureRx. That breach affected nearly 1.7 million individuals.
The company - which provides pharmacy benefit management and administrative services to hundreds of U.S. hospitals and others - on Thursday listed about 130 covered-entity clients that have been affected by its breach, compared to the 40 affected clients CaptureRx reported when it first disclosed the incident (see: More Healthcare Disruptions Tied to Vendor Incidents).
A breach notification report CaptureRx submitted to Maine's state attorney general's office on May 18 updates the total number of affected individuals to nearly 2 million.
While the CaptureRx incident has been reported in some other media outlets, including Becker's, as involving ransomware, CaptureRx has not confirmed any details about the nature of the attack. It did not immediately respond to a request for comment.
The company says in a notification statement that its investigation determined "that certain files were accessed and acquired on Feb. 6, without authorization.” Affected data included individuals' names, dates of birth and prescription information, the company says.
Van Dyke notes that the dozens of entities affected by the CaptureRx incident are a continuation of a growing phenomenon he calls "breach complex."
Breach complexes are composed of "a voluminous number" of related incidents, such as dozens of covered entities all reporting individual breaches linked to the same vendor mishap, he says.
"Each individual breach in a 'breach complex' can expose unique identity credentials, and in turn create unique identity crime risks."
Also among the largest breaches added to the tally in recent weeks is a hacking incident reported by New Mexico-based Rehoboth McKinley Christian Health Care Services that affected 207,000 individuals. That incident has been reported in other media outlets as a ransomware incident involving the Conti ransomware gang. But the organization has not confirmed the nature of the attack.
Meanwhile, a recent ransomware attack on New York-based Orthopedic Associates of Dutchess County affected nearly 331,400 individuals. In its breach statement, the practice acknowledges that its systems were encrypted by attackers and patient data was "removed/viewed."
The CaptureRx incident is one of nearly 100 business associate-related breaches added to the tally so far this year. In total, those vendor incidents have affected nearly 11.3 million individuals, or 65% of people affected so far by major health data breaches added to the tally in 2021.
Among the incidents involving business associates added to the tally in recent weeks was a breach affecting 125,500 individuals reported by San Diego Family Care and a breach affecting nearly 294,000 individuals reported by Health Center Partners of Southern California.
In a joint breach notification statement, the nonprofits say San Diego Family Care and its business associate, Health Center Partners of Southern California, became aware that their unnamed information technology hosting provider had "experienced a data security incident that resulted in the encryption of certain data."
Databreaches.net reports that the entities are among the growing list of clients of cloud hosting and managed service provider Netgain Technology affected by a December 2020 ransomware attack.
The string of ransomware attacks in healthcare "indicate that hackers have not slowed in their efforts in finding new ways to get people to click a link or open a PDF," says Susan Lucci, senior privacy and security consultant at tw-Security.
"Their work to introduce ransomware and encrypt files to cripple not only healthcare but infrastructure of our country has proven to be relentless," she says. "Everyone should be on high alert and carefully scrutinize what is arriving in their email inbox."
Ransomware is the leading cause of healthcare data breaches, she notes and says, "Hacking is the cause of nearly 80% of all the reported large data breaches since reporting started in 2009."
Other Breach Causes
Another leading cause of breaches reported so far in 2021 is incidents involving “unauthorized access/disclosures.” About 64 such incidents affecting nearly 662,000 individuals have been added to the tally so far this year.
The largest of those incidents was reported to HHS on April 29 by the Wyoming Department of Health. That incident involved files containing COVID-19 and influenza test result data, as well and breath alcohol test results, being mistakenly uploaded by an employee to public-facing GitHub.com.
Since its inception in September 2009, the HHS website has listed 3,977 breaches affecting a total of 290 million individuals.