Health Data Breach Trends: A Mid-Year ReportRansomware Attacks, Vendor Incidents Continue to Dominate
Ransomware attacks and breaches of vendors continue to account for the biggest health data breaches added to the official federal tally so far this year.
As of Monday, some 383 health data breaches affecting more than 27 million individuals had been added this year to the HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Since the last Information Security Media Group snapshot of the HHS breach website on May 27, about 131 breaches affecting nearly 10 million people have been added to the federal tally.
Of the breaches added to the tally in 2021, the vast majority - 283 breaches affecting 26.1 million individuals - were reported as involving hacking/IT incidents.
Largest Breaches Added to Tally in 2021, So Far
|Breached Entity||Individuals Affected|
|Florida Healthy Kids Corp.||3.5 million|
|20/20 Eye Care Network||3.3 million|
|Forefront Dermatology, S.C.||2.4 million|
|The Kroger Co.||1.5 million|
|American Anesthesiology||1.3 million|
|Practicefirst Medical Management Solutions||1.2 million|
|Personal Touch Holding||750,000|
|Health Net Community Solutions||690,000|
Two ransomware incidents added to the tally in the last month rank among the biggest breaches posted to the HHS site this year.
Forefront Dermatology S.C. on July 8 reported a ransomware attack affecting more than 2.4 million individuals. And medical management services vendor Practicefirst Medical Management Solutions on July 1 reported an incident affecting 1.2 million individuals.
The Practicefirst incident is among some 165 breaches - affecting a total of about 19.4 million individuals - added to the tally so far in 2021 that involved business associates.
Some experts advise covered entities to intensify their security risk scrutiny of vendors, given the frequently of recent incidents involving business associates.
"When a healthcare organization experiences a data breach, they are likely to conduct a post-mortem and review what happened and assess and implement lessons learned in terms of policy changes, additional education or other steps to reduce the likelihood of recurrence," says Susan Lucci, senior privacy and security consultant of tw-Security.
"This is even more important when a business associate experiences a data breach, but this rarely occurs," she notes. "This is the very best time to inquire about the details of the incident with the privacy officer of the business associate - or the individual in charge of conducting the incident response."
After a breach, healthcare organizations should ask business associates how the incident happened, what lessons they've learned and how security improvements will be implemented, she advises.
"This is also the ideal time to look across your business associate log and ask some of these similar questions of key business associates - the ones who have the most access to PHI."
Among the most troubling breaches posted to the tally in recent weeks is a hacking incident reported to HHS in late May by Rehoboth McKinley Christian Health Care Services affecting more than 207,000 individuals, notes Jim Van Dyke, who tracks data breach trends as a senior vice president at security firm Sontiq.
That breach - which involved a ransomware incident - "not only exposed a very unusual 12 identity credentials, it also yielded credentials that are the most useful in the commission of several identity crimes - such as fraudulent new credit/loan accounts, existing financial account fraud, medical identity theft and evading the law," he notes.
Among the information compromised in that incident were Social Security numbers, passport numbers, driver's license numbers, bank account numbers, healthcare provider account numbers and medical histories, he notes.
"Risk mitigation is made much more difficult for this high-risk breach because it must address a much greater amount of potential crimes - and with criminals being in the strongest possible position to impersonate the identity-holder for each one," Van Dyke says.
After hacking/IT incidents, the second most common type of breach added to the tally in 2021 so far is “unauthorized access/disclosure” incidents. There have been 80 such breaches affecting nearly 756,000 individuals added to the tally.
And only seven breaches affecting about a total of 27,000 individual involved lost/stolen unencrypted computing devices have been posted to the tally. Several years ago, those sorts of incidents accounted for the majority of health data breaches.
Since its inception in September 2009, some 4,110 health data breaches affecting more than 300 million individuals have been posted to the federal tally.
To help prevent falling victim to hacking incidents, organizations need to be proactive, Lucci says.
"We see reminders of hacking and ransomware so frequently, it cannot be the lack of awareness," she says. "So the likely culprit is that people are clicking on links that they 'think' are OK. One of the best ways to keep employees from becoming numb to basic reminders is to include current examples of data breaches and include the details.
"If you can demonstrate, by example, how clever and creative the cybercriminals are in convincing you to 'click,' the more likely the lesson will be remembered."
Healthcare organizations that outsource functions to vendors must avoid "loosening up their controls on procedures in areas that could allow the bad operators to get in," Van Dyke notes.
"Hackers are clearly realizing that the most successful way to penetrate an entity is through the seams between them and the third parties they work with," he says. "Healthcare entities are now struggling to manage third parties, while not hamstringing them in such a way that the original competitive edge - in service provisioning - is lost."