Breach Notification , HIPAA/HITECH , Incident & Breach Response

Health Data Breach Trends: A Mid-Year Assessment

Biggest Incidents Have a Wide Variety of Causes
Health Data Breach Trends: A Mid-Year Assessment

What major health data breach trends emerged in the first half of 2020?

See Also: Live Webinar | A Buyers' Guide: What to Consider When Assessing a CASB

Although many of the largest breaches involved hackers and targeted business associates, the theft of unencrypted laptops and the improper disposal of paper records also led to big breaches.

A Thursday snapshot of the Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows that so far in 2020, 250 breaches affecting about 5.4 million individuals have been added.

Also commonly called the “wall of shame,” the HHS Office for Civil Rights website lists health data breaches impacting 500 or more individuals. The website shows a total of 3,316 breaches affecting nearly 244.3 million individuals since it was initiated in September 2009.

The 10 largest breaches added to the tally have impacted nearly 2.8 million individuals – or nearly 52 percent of everyone affected by major breaches so far this year.

Largest Breaches Added to HHS Tally in First Half of 2020 *

Organization Individuals Affected
Health Share of Oregon 654,400
Elkhart Emergency Physicians 550,000
BJC Health System 288,000
Ambry Genetics Corporation 233,000
PIH Health 200,000
BST & Co. CPAs 170,000
Aveanna Healthcare 166,000
Tandem Diabetes Care 141,000
Brandywine Urology Consultants 132,000
Beaumont Health 112,000
Meridian Health Services 111,400
Source: Department of Health and Human Services
*Does not include the nine individual breach reports filed by entities impacted by the Magellan ransomware incident, which affected a total of nearly 365,000 individuals

Hacker Incidents

Of major health data breaches posted to the tally so far in 2020, 150 were reported as hacking/IT incidents, and they affected a combined total of about 3.8 million individuals. Some 101 of those incidents apparently involved phishing attacks.

The largest breach involving a hacking/IT incident involved a business associate, BJC Health System in Missouri, which provides services to hospitals as a parent corporation. That incident, reported as involving email, impacted nearly 288,000 individuals.

But a total of at least nine breach reports all stemmed from the same incident – an April ransomware attack on managed care company Magellan. Those incidents affected a total of nearly 365,000 individuals (see Victim Count in Magellan Ransomware Incident Soars).

”The alarming increase in cyberattacks and ransomware incidents that have compromised huge numbers of patients’ health information is unfortunately not a new phenomenon,” says privacy attorney David Holtzman, principal of consulting firm HITPrivacy LLC.

“Recent survey data tells us that the leading cause of the current trend can be tied to hackers attacking healthcare organizations through phishing incidents,” he notes. “Investment in technical security controls to actively monitor and alert system administrators to suspicious activity, combined with employee awareness and training, are some key steps to better defending against these threats.”

Other Top Incidents

The second most common category of breaches added to the tally in 2020 is those classified as unauthorized access/disclosure incidents.

So far, 64 such breaches affecting nearly 298,000 individuals have been added to the HHS website in 2020. The largest was reported in April by Arizona Endocrinology Center, affecting about 74,100 individuals (see Insider Threats: Lessons from 3 Incidents).

Some 24 breaches add to the tally involve the theft or loss of paper records or electronic data; those affected a total of nearly 731,000 individuals. Of those incidents, 17 involved unencrypted devices.

The biggest breach added to the tally so far this year was the theft of a laptop reported in February by Medicaid coordinated care provider Health Share of Oregon. That incident, which affected 654,000 individuals, stemmed from the theft of a device from the office of Health Share of Oregon’s former non-emergency medical transportation vendor, GridWorks, in a November 2019 break-in (see Breach Report: Sometimes Encryption is Still Overlooked).

The tally also shows new breach reports on 12 incidents affecting a total of 577,000 that involved improper disposal of protected health information. The biggest of those incidents, accounting for 550,000 victims, was reported in May by South Bend, Indiana-based Elkhart Emergency Physicians. It involved a business associate - Central Files Inc. - that improperly disposed of paper records.

Business Associate Blame

Of the 250 breaches added to the tally in 2020, 82 were reported as involving a business associate, affecting a combined total of about 2.55 million individuals.

That means that BAs were involved in about a third of the breaches added to the tally, but those incidents were responsible for impacting about 47 percent of individuals affected by all newly added breaches.

”It is not surprising that BAs experience breaches just as covered entities do,” says Kate Borten, president of privacy and security consulting firm The Marblehead Group. “Many organizations, such as small practitioners and small and midsize hospitals, have struggled with their own security and privacy compliance and have not looked beyond BA agreement-signing,” she notes.

Because some recent business associate breaches - such as the Magellan ransomware incident - have affected multiple healthcare organizations, “it’s clear how interconnected we are,” notes Susan Lucci, senior privacy and security consultant at tw-Security.

”With multiple points of connectivity, it is likely that if one client of a business associate becomes a victim of a breach, others may be next, creating a cascade of breach events. Because of interconnectivity pursuits, it is extremely difficult to lock down every potential entry point of risk,” she says.

”This is one reason why it is so incredibly important to touch base with your business partners to check in. Ask what their data security goals are for this year. If there is a long pause, then another, more detailed conversation is warranted. The bottom line is communicate with your business associates to validate how they are protecting your data.”

Looking Ahead

Lucci predicts that business associate breaches and phishing emails that open the door to ransomware or other malware attacks will continue to plague healthcare.

”The more business associates are aware of ways to improve their practices, the more protected your organization will be,” she notes. “When it comes to email incidents, cybercriminals have been extremely creative in finding new ways to get people to make a fatal click on links and open attachments that contain ransomware or malware.”

Pointing to the impact of the COVID-19 pandemic, Borten adds: “We are likely to see more breaches due to the big shift to remote work this year. That opens up new vulnerabilities, and yet our security resources may not be sufficient to address them and sufficiently mitigate the added risks.”

Holtzman suspects that healthcare organizations may be under-reporting data breaches this year.

“The COVID-19 pandemic has brought dramatic changes in the business of healthcare as well as the spike in treatment services being provided by unsecure video conferencing applications,” he says. “The unplanned migration to the work-from-home setting has fundamentally changed how our data is being managed. We are playing catch-up in creating processes and controls to ensure that patient information is being appropriately safeguarded as well as recognizing when data has been compromised.”

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.