Hacks Causing Most Big Health Data Breaches So Far in 2022Only One Other Type of Breach Has Been Posted to the Federal Tally This Year
Hacking incidents still dominate the major health data breaches being reported to the U.S. Department of Health and Human Services in the first months of 2022 by far, with only one other type of breach appearing on the federal tally so far this year.
A snapshot on Tuesday of HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website shows that so far in 2022, 64 reported health data breaches, affecting a total of nearly 3.1 million individuals, have been posted to the tally.
The HHS OCR website lists health data breaches affecting 500 or more individuals.
Of the breaches added to the tally so far in 2022, 50 were reported as IT/hacking incidents affecting about 2.97 million individuals. That means nearly 80% of the breaches posted on the HHS OCR website in 2022 were reported as hacking/IT incidents, and those incidents were responsible for 96% of individuals affected so far this year by major health data breaches.
Thirteen breaches reported as "unauthorized access/disclosure" incidents affecting nearly 88,700 individuals are the only other type of breach added to the tally so far in 2022.
There is only one "theft" incident posted on the HHS tally in 2022 involving unencrypted computing devices. The incident involved protected health information contained on a backup medical imaging server stolen during a November 2021 burglary reported to HHS on Jan. 14 by South City Hospital in St. Louis Missouri. It affected about 21,600 individuals.
Since 2009, the HHS tally shows some 4,505 reported breaches affecting 323.4 million individuals. The largest number of people were affected by health data breaches in 2015, when 270 major HIPAA breaches affected a record 112.5 million individuals. But that included 78.8 million individuals affected by a single incident - a major cyberattack on health insurer Anthem.
Largest Reported Breaches in 2022, So Far
- A hacking incident involving data exfiltration, affecting 1.3 million individuals, reported on Jan. 2 by Florida-based North Broward Hospital District, which does business as Broward Health;
- A ransomware incident, affecting more than 521,000 individuals, reported on Feb. 1 by Michigan-based Morley Companies Inc., a vendor that provides business processing services to health plans;
- A cyberattack involving the exploitation of a SonicWall product vulnerability, affecting nearly 135,000 individuals, reported on Jan. 7 by Utah-based Medical Review Institute of America, a vendor that provides clinical reviews and virtual second opinions;
- A hacking incident involving data theft, affecting nearly 134,000 individuals, reported on Jan. 22 by Massachusetts-based Medical Healthcare Solutions Inc., a medical billing vendor;
- A network hacking incident that appears to involve ransomware, affecting nearly 116,000 individuals, reported on Feb. 7 by Illinois-based South Shore Hospital Corp., a community healthcare organization.
In 2021, a record-breaking 714 major health data breaches affecting more than 45.7 million individuals were reported to HHS (see: Record Number of Major Health Data Breaches in 2021).
"Insiders know where the gold is, and they often know where the cracks are in an organization's security."
—Kate Borten, The Marblehead Group
That includes some 526 breaches reported as hacking/IT incidents affecting 43.1 million individuals. Similar to the trends playing out in the early months of 2022, hacking/IT incidents were involved in 73% of all 2021 breaches posted to the HHS website, and they were responsible for about 94% of individuals affected.
Those figures could continue to grow in the weeks to come as HHS OCR officials review and confirm details of additional HIPAA breach reports submitted at the end of 2021 and post them to the website.
While covered entities and business associates are battling hacking incidents, it is critical that they don't lose focus on preventing and detecting other types of incidents that also put PHI at risk for compromise, some experts say.
"Insider threats are particularly high in healthcare, and they are especially hard to identify and thwart," says Kate Borten, president of privacy and security consultancy The Marblehead Group.
"Insiders know where the gold is, and they often know where the cracks are in an organization's security. Hence, an attack can successfully stay under the radar," she says.
The difficulty is in separating normal user activity from inappropriate actions, according to Borten.
"Further, in teaching and research provider facilities, a large portion of authorized users often are not direct employees," she says. That includes medical staff, students and researchers, in addition to business associates. "And keeping up to date of their status is more complicated and error-prone than keeping tabs on employees."
Keith Fricke, principal consultant at privacy and security consultancy tw-Security, says it is a challenge for many covered entities and business associates to monitor the "surface area" of their organizations, especially if they are focused on preventing and detecting hacking incidents.
For instance, insider incidents have been more prevalent during COVID-19 due to snooping in patient records of co-workers, neighbors and others, he says. "It is difficult for organizations to monitor so many moving parts while it only takes one successful attack to gain unauthorized access to systems or information."
"Besides snooping activity falling through the cracks, loss or theft of a personally owned device, especially smartphones with access to company email can also be missed - or at least delays in detection. IT may not become aware of a missing personal smartphone until the employee contacts IT, requesting reestablishing access to the corporate email system."
Tom Walsh, president of tw-Security, suggests that to help detect hacking incidents and other breaches compromising PHI, entities should perform a periodic dark web scan for the domain name of the organization and/or their public IP addresses.
Those scans can show whether cybercriminals have posted any information about the organization, or data that may have been obtained through an attack or data exfiltration, he says.
Walsh also says organizations should consider retaining at least one year’s worth of key log data.
Fricke says breaches due to hacking will continue, especially incidents involving servers, which tend to store large amounts of sensitive information.
Of the 50 IT/hacking incidents posted on the HHS tally so far in 2022, 35 breaches - or 70% - were reported as involving servers as the "location" of the breach. The others were reported as involving email as the "location" of the breach.