Anthem Hack Now Tops 'Wall of Shame'Federal Breach Tally to Soon Include More Hacker Attacks
The addition of health insurer Anthem, which runs Blue Cross and Blue Shield plans, to the tally comes as Premera Blue Cross announced on March 17 that a hacking attack against its systems in January affected 11 million individuals (see Another Massive Health Data Hack).
Meanwhile, new reports of smaller hacking incidents in the healthcare sector continue to roll in, although many of these breaches haven't yet made it to the federal tally.
Victim Tally Triples
The addition of Anthem's breach nearly tripled to 120 million the official federal tally of individuals affected by major breaches reportable under the HIPAA notification rule since September 2009.
As of March 17, there were 1,162 major breaches affecting 500 or more individuals listed on the federal tally, including the newly entered Anthem breach.
The insurer's hacking attack is the biggest breach of any type listed on the tally. The breach is also by far the largest of the 97 breaches listed as "hacking incidents."
However, because covered entities choose how to describe an incident when they report breaches to HHS, there are likely many breaches labeled as involving "theft" as well as "unauthorized access" that actually involved hackers, says Dan Berger, CEO of consulting firm RedSpin. For example, the Community Health Systems hacking incident that affected 4.5 million individuals last year is listed on the HHS tally as involving "theft."
The 97 breaches officially listed as "hacking incidents" on the "wall of shame" affected nearly 82.6 million individuals, of which 78.8 million were victims of the Anthem hack attack. But if the Community Health Systems incident is added to the hacking tally, that grand total climbs to about 87.1 million individuals affected by hacks.
Recent Hacker Breaches
"Without a doubt, PHI breaches due to hacking attacks are becoming more frequent," Berger says. In fact, Redspin's most recent PHI Breach Report noted that more than 50 percent of the records breached in 2014 were exposed in hacking incidents, Berger says. "This trend was very predictable. In early 2014, we advised our clients that the threat from malicious outsiders - hackers - has the potential to wreak havoc on the healthcare industry."
Here's a sampling of recent health data hacking incidents that have been revealed, but have not yet been posted to the official federal tally:
- Advantage Dental, an Oregon-based dental services provider, is notifying more than 151,000 patients that its intrusion detection system discovered an internal database was illegally accessed. In a statement, Advantage says the hacking incident occurred between Feb. 23 and Feb. 26. The intruder was able to gain access to the database through a computer that had been infected with malware. The intrusion resulted in unauthorized access to names, dates of birth, phone numbers, Social Security numbers and home addresses.
- Sacred Heart Health System, based in Pensacola, Fla., reports that a third-party billing vendor revealed that one of its employee's email credentials had been compromised by a hacker. The resulting beach exposed personal information for approximately 14,000 patients of the health system. The PHI in the hacked email account included patient names, dates of service, dates of birth, diagnoses and procedures, billing account numbers, total charges and physician name. Approximately 40 individuals' Social Security numbers were also compromised.
- Aurora Health Care in Wisconsin is notifying an undisclosed number of current and former caregivers of a breach after discovering malware on some of the company's workstations and servers. In a statement, the company says a forensics investigation revealed that the malware, discovered in January, was designed to intercept active sessions and capture login information when certain websites - mostly financial and some social media - were accessed. The health system says the FBI and other law enforcement agencies are investing the incident.
Another hacking incident recently added to the federal tally affected St. Mary's Health in Evansville, Ill. In a March 5 statement, St. Mary's says it learned on Jan. 8 that several employees' email user names and passwords had been compromised by a hacker. The compromised email accounts contained some personal information for approximately 4,400 individuals. Exposed information included patient names, dates of birth, dates of service, insurance information, limited health information and, in some cases, Social Security numbers.
Better Detection Needed
Berger says it's likely that there are many more hacker incidents in the healthcare sector that haven't been detected either by covered entities or their business associates.
"I don't think there has been any significant improvement in detection," he says. "Hackers are targeting healthcare because the value of a health record on the black market is very high. And the investment in IT security protections in healthcare lag behind most other industries. This trend was very predictable. Hackers are bad guys but good economists."
Security expert David Kennedy, founder of the consulting firm TrustedSec, agrees that many organizations fail to discover these incidents.
"The problem right now is that most organizations within the medical space aren't even capable of detecting attacks," Kennedy says. "A number of them are already breached or have been for a long period of time. The medical industry needs to get proactive on security - it's no longer an optional cost for organizations, its mandatory."
Improving detection, he says, "comes down to good security practices. You have to train your users on what to look for - not to be security pros but to look for weird behavior. We see a high success rate with a well-educated staff regardless of the size of the organization."
Beyond boosting breach detection, healthcare organizations need to take additional steps to prevent incursions, Berger says.
"Healthcare organizations must understand that IT security is a process not a project," he says. "Regular cycles of penetration tests, vulnerability assessments and security awareness training/testing should be part of any entity's information security program. And that process needs to be followed by remediation, validation and re-testing."
Security expert Mac McMillan, CEO of consulting firm CynergisTek, says defending against hackers requires that organizations "get back to basics and do a better job of hardening and managing the enterprise." Among the essentials steps, he says, are rolling out two-factor authentication as well as applying encryption "not just on data in motion, but at rest and for other important things like user IDs and passwords."