HHS OCR Tally Analysis: Breaches, Affected Individuals SurgeReports of Large Hacking Incidents Climb in Recent Weeks
The number of major health data breaches posted to the federal tally so far in 2022 - and the total number of individuals affected by those breaches - has surged in recent weeks as reports of large hacking incidents continue to flow in to regulators.
A snapshot of the Department of Health and Human Services' HIPAA Breach Reporting Tool website on Thursday shows that 117 breaches affecting about 5.32 million people have been posted on the federal tally so far in 2022.
That's an increase of nearly 83% in the number of breaches posted on the HHS site for 2022 and about a 72% surge in the number of individuals affected by those incidents since Information Security Media Group's last breach tally update on Feb. 22. At that time, the tally showed only 64 breaches affecting a total of about 3.1 million individuals in 2022 (see: Hacks Causing Most Big Health Data Breaches So Far in 2022).
In fact, the HHS website shows that four hacking incidents added to the federal tally in the last month are among the 10 largest health data breaches reported so far this year to HHS Office for Civil Rights. Those four breaches alone affected a total of more than 1.2 million individuals, which represents more than half of the 2.2 million individuals affected by breaches added to the tally in the last month.
The HHS OCR website, commonly called the "wall of shame," lists health data breaches affecting 500 or more individuals.
As of Thursday, the HHS OCR website shows some 4,558 major HIPAA breaches affecting about 327.3 million individuals posted since 2009.
10 Largest Health Data Breaches in 2022, So Far
|Breached Entity||Individuals Affected|
|Broward Health||1.35 million|
|Monongalia Health System *||493,000|
|South Denver Cardiology Associates *||288,000|
|Norwood Clinic *||228,000|
|Logan Health Medical Center *||214,000|
|Medical Review Institute of America||135,000|
|Medical Healthcare Solutions||134,000|
|South Shore Hospital Corp.||116,000|
|Comprehensive Health Services||107,000|
Source: U.S. Department of Health and Human Services
Hacking Incidents Dominate
The largest breaches added to the federal tally in recent weeks are all hacking incidents. They include:
- West Virginia-based Monongalia Health System, or Mon Health, reporting to HHS on Feb. 28 a ransomware incident affecting nearly 493,000 individuals. Mon Health last December also reported a phishing email breach affecting 399,000 individuals. A Mon Health spokesman tells ISMG that the breaches are two separate hacking incidents (see: Mon Health Reports Breach Soon After Phishing Incident).
- Colorado-based South Denver Cardiology Associates reporting to HHS on March 4 a hacking incident affecting nearly 288,000 individuals. The entity says the breach is still under investigation and declined ISMG's request for additional details, including the type of hacking incident that occurred (see: Tennessee Pediatric Hospital Responding to Cyber Incident).
- Alabama-based Norwood Clinic, a multispecialty medical practice, reporting to HHS on Feb. 25 a hacking/IT incident affecting 228,000 individuals. The clinic did not immediately respond to ISMG's request for details about the incident (see: 2 Healthcare Hacking Incidents Affect 310,000 Patients).
- Montana-based Logan Health Medical Center, formerly Kalispell Regional Healthcare, reporting to HHS on Feb. 22 a hacking/IT incident involving nearly 214,000 individuals. A proposed class action lawsuit involving the breach was filed earlier this month against Logan Health in a Montana federal court (see: Class Action Filed in Logan Health Breach Affecting 214,000).
Of the 117 breaches affecting 5.31 million individuals added to the federal tally so far in 2022, the vast majority - 96 breaches affecting 5.14 million individuals - were reported as hacking/IT incidents.
As of Thursday, the remainder of the breaches posted on the HHS OCR tally so far in 2022 included 20 "unauthorized access/disclosure" incidents affecting nearly 147,500 individuals and two breaches involving lost or stolen unencrypted computing devices, affecting a total of about 26,000 individuals.
Last year - as was the case over the past several years - the most common breach type reported to HHS OCR is hacking incidents, says Lisa Pino, director of HHS OCR, in a recent interview with ISMG, urging covered entities and business associates to take "a heightened" cybersecurity posture (see: Exclusive: Interview with HHS OCR Director Lisa Pino).
"There's no question that cyberattacks continue to grab headlines," as the healthcare sector continues to deal with the COVID-19 pandemic, she says.
"Always be prepared. You might also be more vulnerable to a cyberattack when under crisis," she adds. "It's when you're most vulnerable that things happen."
Michael Hamilton, CISO at security firm Critical Insight, says he expects the current hacking incident trends involving data exfiltration and ransomware to persist and potentially morph in the months ahead.
"Our expectation for 2022 should be that current trends will continue - notably because of the economic sanctions imposed on Russia and the need to make up that 'revenue,'" he says. "It is well known that criminal gangs in Russia operate with the tacit approval of the state, and now the state needs that favor to be returned."
Hamilton, who was previously CISO of the city of Seattle, says that a top reason for the uptick in hacking incidents involving data theft is that records theft for the purpose of extortion is classified as a crime while extortion through the use of ransomware against critical sectors such as healthcare is considered terrorism.
"In the second half of 2021, these attacks on healthcare providers were actually down, but [attacks on] business associates and health plan providers were both up, by 18% and 35%, respectively," he says. "As [health] plan providers house records for many covered entities - such as hospitals and clinics - they add an outsized signal to the count, and this trend will likely continue through 2022."
As the Russia-Ukraine war escalates, new health data breach trends could emerge, he says. "We haven’t seen 'wiper' destructive malware used against the health sector, but if geopolitical tensions escalate, we may well see exactly that."