Health Data Breach Tally: A Mid-Year UpdateWhat Trends Does the Breach List Reveal So Far in 2019?
With half of 2019 in the rear-view mirror, what are the emerging healthcare data breach trends so far this year? Hacker/IT incidents continue to be the dominant cause of breaches, while another formerly common cause - lost or stolen devices - has become relatively rare, according to the federal tally.
A July 2 snapshot of the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows all of the 10 largest health data breaches added to the tally so far this year involve "hacker/IT" incidents. The tally lists breaches affecting 500 or more individuals
"Hacker/IT incidents" include hacker incidents or other cyberattacks as well as incidents involving various IT mishaps, such as misconfigured computer settings that leave protected health information exposed on the web.
The largest breach added to the tally so far this year is a hacking incident affecting almost 3 million individuals reported June 21 by Dominion Dental Services, a Virginia-based insurer.
The company said in a breach notification statement that the incident was first discovered in April but is believed to have started nine years ago.
The second largest breach on the tally - reported by Puerto Rico-based Inmediata Health Group - was reported as an "unauthorized access/disclosure" breach. But that incident actually involved a misconfigured IT setting that left protected health information of nearly 1.6 million individuals exposed on the internet, according to Inmediata.
Misconfigured IT settings - most often reported by entities as "hacking/IT incidents" - have been involved in several other large health data breaches reported so far this year.
That includes the third largest health data breach reported: An incident at UW Medicine involving a misconfigured database setting that left PHI of 974,000 individuals exposed on the internet.
As of July 2, 218 breaches affecting a total of nearly 10 million individuals have been added to the HIPAA Breach Reporting Tool website - commonly called the "wall of shame" - so far this year.
Of those, 127 breaches impacting 7.7 million individuals - or about 77 percent of those affected - are described as hacking/IT incidents.
Since the tally's inception in September 2009, 2,776 breaches impacting a total of about 201 million individuals have been listed.
10 Largest Health Data Breaches, Mid-Year 2019
|Breached Entity||Individuals Affected*|
|Dominion Dental Services||2,965,000|
|Inmediata Health Group||1,600,000|
|Columbia Surgical Specialist of Spokane||400,000|
|Doctors Management Services||207,000|
|Centrelake Medical Group||198,000|
The number of hacking/IT incidents reported so far this year "is not a good trend," says Tom Walsh, president of consulting firm tw-Security.
"According to Roger Severino, the HHS director of the Office for Civil Rights, and the stats he shared at HIMSS 2019, there were 149 hacking/IT incidents in all of 2018," Walsh adds. "We're already at 85 percent of last year's number and we're only half way through 2019."
Meanwhile, breaches stemming from the loss or theft of computing devices, which in the initial years dominated the tally, continue to decline.
So far this year, only 15 loss/theft incidents affecting a total of about 145,000 individuals have been posted on the federal tally.
"The reduced number of breaches due to loss or theft of devices is a good sign, most likely due to the widespread adoption of encryption on portable devices and media," says Kate Borten, president of privacy and consulting firm, The Marblehead Group. Losses or thefts of encrypted devices are not reportable breaches under HIPAA.
But, Walsh argues, "The number of reportable breaches involving loss/theft of electronic gear such as laptops is still too high."
Business Associate Breaches
So far this year, business associates have been reported as "present" in 47 breaches affecting nearly 1.25 million individuals that have been added to the tally.
"There is wide variation among BAs in terms of their security and privacy expertise and awareness," Borten notes. "Some do an excellent job, but many fall short, especially in understanding and meeting the full scope of their regulatory obligations."
The largest health data breach involving a business associate added to the tally was reported by Pennsylvania-based Zoll Services, which provides emergency medical products, such as wearable heart defibrillators. That incident, which impacted more than 277,300 individuals, involved a third-party vendor migrating a server containing archived email of Zoll.
Walsh says he's hopeful BA-related incidents will fall as the year goes on.
"A trend we are seeing is that more covered entities are vetting their vendors before signing a contract as well as asking current business associates to demonstrate how they are handling risk and HIPAA compliance, mainly through the completion of questionnaires and evidence collection," he notes.
"This is a good trend which should hopefully reduce the number of breaches involving business associates."
Coming Soon to the Federal Tally?
Not reflected on the federal tally as of July 2 is the mega-breach revealed last month by American Medical Collection Agency, which reportedly affected at least 20 million patients of several medical laboratory testing firms, including Quest Diagnostics and LabCorp.
Once details of that business associate incident are confirmed by HHS, the AMCA incident could be the largest health data breach revealed so far this year.
"It's time for business associates to improve their security posture and maturity," Walsh says. "They have skin in the game. While the number of breaches are slowly on the decline, the number of patient lives affected by a breach related to business associates remains high."