Health Breach Tally to Pass 20 Million3 Incidents Affecting 1.3 Million Not Yet on List
After a quiet start to the year, the federal tally of individuals affected by major healthcare information breaches soon could exceed 20 million once three recent incidents are added. For now, the tally includes 410 incidents affecting almost 19.2 million individuals since September 2009.
As of April 24, the breach list includes only four 2012 incidents affecting a total of about 31,000. Not yet on the tally, however, are these three recent significant breaches:
- A Utah Department of Health hacking incident affecting 780,000 individuals, including Medicaid clients, Children's Health Insurance Plan recipients and others;
- An Emory Healthcare breach involving 10 missing computer disks, affecting 315,000 surgical patients;
- A South Carolina Department of Health and Human Services breach affecting 228,000 Medicaid recipients. The incident involved a now-fired employee who was arrested for allegedly transferring patient information to his personal e-mail account.
The Department of Health and Human Services' Office for Civil Rights adds breaches to its "wall of shame" tally after it conducts an investigation and confirms the details. The list tracks breaches affecting 500 or more individuals that have occurred since late September 2009, when the HITECH Act-mandated breach notification rule went into effect.
Hacking Incidents Relatively Rare
About 55 percent of all the major breaches reported since the rule went into effect have involved lost or stolen unencrypted electronic devices or media. By comparison, only about 7 percent have involving a hacker attack.
The Utah Department of Health breach incident is, by far, the largest of the about 30 hacking incidents on the list of major breaches. And it's an important eye-opener, says security consultant Rebecca Herold of Rebecca Herold & Associates (see: Utah Hack Attack: Lessons Learned). "This incident should make it clear to business leaders, in all types of organizations, that there are hackers out there who are keeping an eye on systems that they view as prime targets yielding huge goldmines of data if they can find one hole to slip through," she says.
Adam Greene, a former OCR official and now a partner at the law firm Davis Wright Tremaine, is surprised there haven't been more hacking incidents added to the list of major breaches. Some criminals consider health information to be far more valuable than financial information, he notes. The stolen information could pave the way for submitting false healthcare claims in bulk, and health insurance information also could be used to fraudulently obtain treatment. "I have had concerns that there could be more hacking incidents that are going undetected," he says.
Preventing Hacker Attacks
In the Utah incident, authorities said the hacking attack was made possible because of a problem with protecting a state server. "In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system," according to a Utah Department of Health statement. The state's Department of Technology Services, which managed the server, "has processes in place to ensure the state's data is secure, but this particular server was not configured according to normal procedure."
Such failures to follow procedures are common among healthcare organizations, Herold contends. "I believe such mistakes, oversights, and outright 'Well, no one's going to catch this' types of situations are likely widespread," she says.
It's very easy for mistakes to occur within the network security architecture of a complex set of systems," Herold notes. "And there will always be some humans involved who are tempted to bypass important security controls because they slow them down, are cumbersome to follow, take too long to perform or they simply believe that no one will ever be able to find such a vulnerability."
Greene stresses that, in light of the Utah incident, organizations should "consider technical methods of monitoring server and desktop configurations to ensure that security controls are uniformly applied and maintained."
The Utah incident also points to the value of encryption. If the information on the server was protected by encryption, the hacking incident would not even have had to be reported under the breach rule.
Greene also notes that another good breach prevention measure is to conduct a comprehensive risk assessment. Plus, he says launching an ongoing evaluation program that includes vulnerability and penetration testing also helps guard against hackers.
Seven Anti-Hacking Tips
Herold suggests seven steps to thwart hacker attacks: