Tracking Common Causes of Recent Health Data BreachesAnalyzing Trends Reflected on 'Wall of Shame' Tally So Far This Year
The biggest health data breaches added to the federal tally so far this year are classified as "hacking/IT incidents" by federal authorities.
These incidents, which include ransomware and phishing attacks - as well as misconfigured IT - are the culprits in nearly two-thirds of the 81 major health data breaches that have been added to the U.S. Department of Health and Human Services HIPAA Breach Reporting Tool website so far this year.
Those 51 hacking/IT incidents affected nearly 2.8 million individuals, or more than 90 percent of the 3 million individuals affected by breaches added to the tally so far in 2019.
Commonly called the wall of shame, the HHS website lists health data breaches affecting 500 or more individuals that have been reported to federal authorities.
A snapshot on Monday shows that 2,667 major health data breaches affecting nearly 193.9 individuals have been posted to the HHS website since 2009.
5 Largest Health Data Breaches Reported in 2019 So Far
|Breached Entity||Individuals Affected|
|Columbia Surgical Specialist of Spokane||400,000|
|ZOLL Services LLC||277,000|
|Centerstone Insurance and Financial Services (d/b/a BenefitMall)||112,000|
The largest health data breach added to the tally so far this year, which was listed as a hacking/IT incident, involved a misconfigured database reported in February by UW Medicine. That incident potentially exposed on the protected health information of 974,000 individuals for several weeks late last year.
UW Medicine said in a statement that last December, it became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet. The Seattle, Washington-based academic medical system says the misconfigured database at UW Medicine was the result of a coding error when data was being moved onto a new server.
A server mishap was also the culprit in a breach reported to HHS in March by Zoll Services, a provider of emergency medical devices. That incident, which impacted 277,000 individuals, involved a third-party vendor migrating a server containing Zoll's archived email.
The other breaches among the five largest added to the HHS site so far this year were hacking incidents stemming from ransomware and phishing attacks.
In February, Columbia Surgical Specialists of Spokane, Washington, reported a hacking incident involving ransomware that impacted the PHI of 400,000 individuals.
A phishing incident at UConn Health reported in February affected 326,000 individuals. Another phishing incident was reported in January by a payroll HR/administration vendor - Centerstone Insurance and Financial Services, which does business as BenefitMall. That breach affected about 112,000 individuals.
"Phishing continues to be easier access for cybercriminals than it should be," says Susan Lucci, senior privacy and security consultant at tw-Security. "While many covered entities are educating their workforce on how to recognize and report phishing attacks, we continue to observe that when these organizations conduct phishing expeditions through a managed process, the results are worse than they expected."
The breaches reported by Zoll and BenefitMall involved third-party vendors, spotlighting once again the risks posed by business associates.
So far in 2019, business associates were reported to be involved in more than a quarter of the major health data breaches added to the federal tally. Those 27 incidents reported as involving BAs so far in 2019 impacted a total of nearly 690,000 individuals, according to the HHS site.
Lucci says covered entities need to be proactive in their security risk management involving vendors.
"If covered entities are not obtaining reasonable assurances in writing as to their BA's compliance efforts, with some evidence of that compliance, they are risking a partner who may not be protecting PHI and personally identifiable information in the same manner that is required by federal and state regulation," Lucci notes.
"All too often, after a business associate is working with a covered entity, the lines of communication focus only on the business services and deliverables. A business associate is an extension of the CE's workforce and privacy and security communications should be taking place between the CE and their BAs."
While hacking/IT incidents are dominating the breach victim tally so far in 2019, the HHS website also illustrates other common breach causes.
For instance, 12 breaches affecting a total of nearly 124,000 individuals each stemmed from thefts or losses. Nine involved unencrypted computing devices, such as laptops or desktop computers, while three involved paper/film records.
In addition, 17 breaches caused by unauthorized access/disclosure affected a total of nearly 96,200 individuals.