Health Data Breach Tally Crowded With Vendor IncidentsBusiness Associate Breaches Affect Millions
Many of the major health data breaches added to the federal tally so far this year involve business associates, continuing a trend in recent years.
The largest breach added so far in 2021 to the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website – which lists health data breaches affecting 500 or more individuals – is a vendor hacking incident reported on Jan. 29 by Florida Healthy Kids Corp., a provider of children's' health and dental health plans in Florida.
That breach – reported as affecting 3.5 million individuals - involved Jelly Bean Communications Design, a website hosting vendor that the health plans provider says failed to address vulnerabilities over a seven-year period, leaving patient data potentially exposed. Plus, the hackers tampered with some of that data, Healthy Florida Kids Corp. said in its breach notification statement last month.
The company noted in the statement that the data of "several thousand insurance applicants was inappropriately accessed" in the incident - far fewer than the 3.5 million total reported to HHS OCR.
Change in Victim Tally
Florida Healthy Kids Corp. tells Information Security Media Group it was notified on Dec. 9, 2020, that several thousand applicant addresses had been inappropriately accessed and tampered with. “These addresses are collected as part of the online Florida KidCare application. FHKC engaged independent cybersecurity experts to conduct a thorough review of the incident to confirm the scope and severity of the security incident,” the company says.
”The cybersecurity experts identified significant vulnerabilities in the hosted website platform and the databases that support the online Florida KidCare application. FHKC learned that these vulnerabilities spanned a seven-year period from November 2013 until December 2020. As a result of the extended vulnerabilities identified, we provided substitute notice to approximately 3,500,000 Florida residents who applied for or were enrolled dating back to 2013. We have no confirmation that anyone’s personal information was removed from the system."
BA Breach Trends
As of Monday, the HHS OCR website shows 37 major breaches affecting more than 4.5 million individuals have been reported in 2021 and added to the tally so far this year. Of those, 12 breaches - including Healthy Kids - affecting nearly 3.6 million individuals were reported as involving business associates.
Some of those 37 breaches reported this year are incidents that occurred in 2020.
The HHS OCR website, launched in September 2009, now lists 3,751 major health data breaches affecting a total of nearly 275 million individuals. Of those, 919 breaches affecting nearly 90 million individuals involved a business associate.
Some of the largest health data breaches in the last couple of years involved business associate incidents that, in turn, affected dozens of clients serving millions of patients.
For instance, a hacking incident reported in 2019 involving the American Medical Collection Agency, a bill collection vendor, affected more than two dozen covered entities - including major laboratory testing firms - and more than 20 million individuals.
And in 2020, hackers hit cloud-based fundraising software vendor Blackbaud, affecting, in turn, about four dozen of its healthcare sector clients and more than 10 million individuals.
A recent analysis by CI Security found that in the second half of 2020, nearly 75% of all records breached were tied to security incidents at business associates, says former healthcare CIO Drex DeFord, strategic healthcare executive for the security vendor. "That means your security team, and the program they’ve created, needs to not only protect your organization, but it needs to be able to verify all your vendors have high-level cybersecurity programs. That’s a lot to ask."
Hackers are taking advantage of the interconnectivity of healthcare organizations and the vendors that serve them, DeFord says. In the Blackbaud incident, he points out, "a breach of a single vendor resulted in a multitude of healthcare organizations that had to file breach reports with HHS."
One of the business associate breaches posted on the HHS tally so far in 2021 is a hacking incident reported by The Richards Group, a Vermont-based vendor that provides insurance-related services to businesses.
The federal tally indicates that the email hacking incident, which affected about 15,400 individuals, was reported to HHS on Jan. 28. But a recent breach notification statement issued by The Richards Group indicates the incident involved a phishing attack that compromised an employee email account sometime last May.
Unfortunately, many vendors still do not appreciate the devastating impact their poor security controls and practices can have on their healthcare clients' data, says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"Today, many BAs are startups with good ideas for healthcare products and services, but very limited security and privacy expertise, so security is not 'baked in' to their offerings," she notes.
"Despite today's greater visibility, it will likely be many years before the U.S. sees security treated with the importance it deserves across all sectors."
2020 Tally Keeps Climbing
In recent weeks, several dozen breaches reported to HHS OCR in 2020, affecting a total of nearly 2 million individuals, have been added to the tally (see: Analysis: 2020 Health Data Breach Trends).
Sometimes a lag occurs between when an entity reports a breach to HHS OCR and when that incident gets posted to the federal breach tally website. That's because OCR reviews details about the incident described in the breach report filed by the entity before the breach gets posted to the tally.
As of Monday, the HHS website shows 650 breaches affecting more than 30.7 million individuals were reported in 2020.
Among the largest breaches reported in 2020 and posted to the federal tally in recent weeks was a hacking incident affecting nearly 879,000 individuals reported on Nov. 25 by Maryland-based US Fertility, a business associate that provides IT and other support services to a network of fertility practices operating in several states.
In a breach notification statement, US Fertility says the incident involved a ransomware attack discovered in September 2020.
The company says in its statement that a forensic investigation determined that the unauthorized actor acquired "a limited number" of files during the period of unauthorized access, which occurred between Aug. 12, 2020 and Sept. 14, 2020.