Health Data Breaches in 2020: Ransomware Incidents DominateBlackbaud, Magellan Health Incidents Trigger Numerous Breach Notifications
Hacking incidents involving ransomware attacks continue to dominate the 2020 health data breach tally, with incidents affecting two companies - Blackbaud and Magellan Health - accounting for numerous breach notifications by their clients.
See Also: HIPAA Audits: A Revised Game Plan
As of Tuesday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows that ransomware attacks account for most of the largest health data breaches so far this year.
Ransomware incidents involving fundraising software provider Blackbaud and managed health company Magellan Health are responsible for nine of the 10 largest health data hacking incidents posted on the federal tally so far in 2020.
"Ransomware continues to be a lucrative business for criminals," says Keith Fricke, principal consultant at tw-Security. "Until targeted organizations implement security controls that effectively hamper the overall earnings of ransomware attacks, the criminals will continue using ransomware as a revenue generator."
Al Pascual, chief operating officer and co-founder of consulting firm Breach Clarity, says the final health data breach tally for all of 2020 likely will include double the number of incidents seen in 2019. A big reason why, he says, are the two big ransomware incidents that led to breach notifications issued by dozens of healthcare organizations.
Commonly called the "wall of shame," the HHS Office for Civil Rights' HIPAA breach reporting website lists health data breaches affecting 500 or more individuals.
As of Tuesday, the HHS OCR website shows 3,510 reported breaches affecting nearly 260 million individuals posted since 2009.
So far in 2020, 444 breaches affecting more than 21 million individuals have been added to the HHS tally. Of those, nearly 70% were reported as hacking/IT incidents, affecting a combined total of more than 19 million individuals.
Biggest Health Data Hacking Breaches in 2020, So Far
|Breached Entity||Individuals Affected|
|*Trinity Health||3.3 Million|
|*Inova Health System||1.04 Million|
|**Magellan Health Inc.||1.01 Million|
|*Northern Light Health||658,000|
|Florida Orthopedic Institute||640,000|
|*Saint Luke's Foundation||360,000|
|*NorthShore University HealthSystem||349,000|
|**Magellan Rx Management||315,000|
The Blackbaud-related breach reported by Livonia, Michigan-based Trinity Health in September is the largest breach added to the HHS tally for far in 2020.
So far, about three dozen breaches reported to HHS, affecting a combined total of nearly 10 million individuals, are tied to the Blackbaud ransomware attack (see: Blackbaud: Hackers May Have Accessed Banking Details).
The Blackbaud ransomware incident also has affected organizations in other sectors. And the company faces a lawsuit that questions the company's move to pay off a hacker in return for a promise to delete data that was stolen (see: Class Action Lawsuit Questions Blackbaud's Hacker Payoff).
Other Ransomware Victims
The health data breach tally also shows at least nine breach reports - affecting a total of nearly 365,000 individuals - stemming from an April ransomware attack on managed care company Magellan (see: Victim Count in Magellan Ransomware Incident Soars).
A ransomware incident reported in July by Florida Orthopedic Institute affecting 640,000 individuals is the only breach among the top 10 largest hacking incidents in 2020 that did not involve the attacks on either Blackbaud or Magellan Health.
The largest breach not related to hacking listed on the federal tally so far this year stemmed from the theft of an unencrypted laptop computer reported in February by Portland, Oregon-based Medicaid coordinated care organization Health Share of Oregon. The computer, which was stolen from the entity's nonemergency medical transportation vendor, GridWorks, contained data on more than 654,000 individuals.
That one laptop theft affected more individuals than the 91 unauthorized access/disclosure breaches posted so far in 2020, which affected a combined total of nearly 470,000 individuals.
So far in 2020, the HHS tally shows 170 breaches affecting nearly 12.9 million individuals were reported as involving a business associate.
"Healthcare organizations should ensure that they have a robust vendor due diligence process in place - specifically when it comes to their security," says Breach Clarity's Pascual.
"Over the last seven or eight years, the financial services sector has really stepped up its efforts to ensure that their vendors are more secure. And healthcare organizations would do well to emulate those same processes enumerated by banking regulators."
Among the largest recently posted breaches not involving either the Blackbaud or the Magellan Health ransomware attacks was a hacking incident reported on Sept. 25 by Texas-based healthcare organization Legacy Community Health Services, which affected more than 228,000 individuals.
Legacy Community says the breach involved an employee responding to a phishing email.
Phishing scams remain a top problem at the center of many major hacking incidents - especially amid the coronavirus pandemic, some experts note.
"It is possible that ransomware attacks are using COVID-themed phishing emails," Fricke notes.
While security awareness is critical to reducing the threat of phishing attacks, such training will not eliminate the threat, Fricke notes.
"With the volume of emails most corporate workers receive every day, clicking without thinking can be a function of trying to keep up on messages while juggling multiple job responsibilities," he says.
Implementing multifactor authentication is an effective way to thwart credential-stealing phishing attacks, Fricke says.
Also, a majority of healthcare entities have not yet implemented a "report as phishing" plug-in to their email application, notes David Chaddock, cybersecurity consultant at West Monroe.
That feature enables users to identify, report and block malicious emails before they circulate further in the organization, he says. "For a technical control, that has been effective in at least reducing the likelihood of multiple users falling victim to the same attack."