Anti-Phishing, DMARC , Business Email Compromise (BEC) , Email Security & Protection
Health Data Breach Victim Tally for 2018 Soars
Analyzing the Latest 'Wall of Shame' Trends(Editor's Note: This story has been updated to correct certain totals.)
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
About 30 new health data breaches - including a phishing attack impacting 1.4 million individuals - have been added in recent weeks to the official federal tally, pushing the total victim count for 2018 so far to 6.1 million
As of Tuesday, 229 breaches had been added so far this year to the Department of Health and Human Services' HIPAA Breach Reporting Tool website, commonly called the "wall of shame." Hacker attacks accounted for 4.3 million of the victims. The website lists health data breaches affecting 500 or more individuals since 2009.
The 30 incidents added to the tally since Information Security Media Group's last snapshot in July affected a total of 2.2 million. Most of those had their data exposed as result of a phishing attack against Health System/UnityPoint Health, which was reported to HHS on July 30. That incident, which involved a business email compromise scheme, is, by far, the largest health data breach posted to the wall of shame so far in 2018.
Business Email Compromise
"People are often taken off guard" by business email compromise schemes, when scam emails appear to be sent from a user's boss or another colleague, says Teresa Grogan, CIO at Vertitech IT, a national healthcare IT consulting and engineering firm based in Holyoke, Mass.
"There needs to be a bigger shift in the training of folks and also deploying better advanced threat analytics technology from an email perspective," she suggests.
Phishing attacks on healthcare entities involving business email compromise scams "may be more common than anyone might guess," says Susan Lucci, senior privacy and security consultant at tw-Security. "This is why it is essential that if these types of emails are getting through, they need to be reported to IT or the help desk."
Organizations that have heightened awareness surrounding phishing attacks are better positioned to avoid becoming a victim, Lucci adds.
Five Largest Health Data Breaches So Far in 2018
Breached Entity | Individuals Affected |
---|---|
UnityPoint Health | 1,400,000 |
California Dept. of Developmental Services | 582,000 |
MSK Group | 566,000 |
LifeBridge Health | 538,000 |
SSM Health St. Mary's Hospital | 301,000 |
Breach Breakdown
Of the breaches added to the federal tally in 2018 so far, 91 are listed as hacking/IT incidents impacting a total of 4.3 million individuals - or about 70 percent of all victims so far this year. Another 91 incidents are listed as "unauthorized access/disclosure" breaches, impacting nearly 803,000 individuals.
Sometimes breaches posted on the wall of shame are publicly disclosed as having involved a cyberattack but are reported to regulators as "unauthorized access/disclosure." But this category of breach can involve many different types of circumstances.
For instance, the federal tally shows that the largest unauthorized access/disclosure breach reported to HHS so far in 2018 affected MedEvolve, an Arkansas-based vendor of practice management software. In that incident, a file containing patient data of one of MedEvolve's former healthcare customers was inadvertently left on a file transfer protocol server that was exposed to the internet. That incident, reported in July, impacted more than 205,400 individuals.
Among other factors that can lead to unauthorized access, Lucci says, are curious staff members "along with those who just genuinely are concerned about a particular incident and want to find out what happened" to patients.
"This curiosity indicates that refresher or annual privacy education may not be achieving its goal," she notes. "Remind the workforce about privacy and that curiosity is often just another word for snooping. And most organizations have a zero-tolerance for this type of activity that essentially is a reportable breach and that the sanction policy will be enforced."
Organizations also should conduct frequent audits of records access, Lucci recommends. "Auditing access is required, but it is important to do it routinely and randomly, and the results of the audits should be shared at least at the management level to help reinforce privacy policy in every department," she says.
Thefts and Losses
Some 41 breaches so far this year were reported as having thefts/loss as the cause; those affected a total of 677,000 individuals. Some 13 of those incidents impacting 597,000 individuals stemmed from the loss or theft of paper/film records. The remainder involved unencrypted computing devices; those affected a total of about 80,000 individuals.
With awareness growing of the importance of encrypting mobile devices, health data breach reports involving stolen or lost unencrypted devices are becoming far less frequent than a few years back.
Also added to the federal tally in 2018 were six "improper disposal" incidents impacting more than 330,000 individuals, nearly all were reported as involving paper/film records.
Since 2009, a total of 2,411 incidents impacting 187.7 million individuals have been posted to the wall of shame. Of those, 520 breaches involved hacking/IT incidents, impacting 141 million individuals, or about 75 percent of all victims affected by major health data breaches.