Health Data Breach Update: What Are the Causes?Phishing Still a Major Culprit, But Other Challenges Emerge
Phishing scams continue to be a leading cause of health data breaches so far this year. But the theft of unencrypted laptops led to the biggest breach reported in 2020, and an insider breach involving a physician exposed data on thousands of patients.
As of Tuesday, 171 major health data breaches affecting a combined total of nearly 3.6 million individuals have been added to the Department of Health and Human Services' HIPAA Breach Reporting Tool website so far this year
The website, also commonly referred to as the "wall of shame," lists health data breaches affecting 500 or more individuals.
Of major breaches posted so far this year, 104 were reported as hacking/IT incidents, and those affected a combined total of nearly 2.7 million individuals. That means that although hacking/IT incidents make up about 60% of the breaches posted so far on the tally in 2020, they are responsible for 75% of individuals impacted.
Of the hacking/IT incidents added to the tally, 65 incidents - affecting nearly 2.1 million individuals - are listed as involving email, making phishing scams the predominant culprit in health data breaches in 2020 so far.
Although 11 of the 12 largest breaches added to the tally this year are hacking/IT incidents, the biggest breach involved stolen unencrypted laptops. That incident, reported by Health Share Oregon in February, affected more than 654,000 individuals.
As of Tuesday, the federal tally shows a total of 3,237 major health data breaches affecting nearly 242.5 million individuals since September 2009, when the HIPAA Breach Notification Rule took effect.
The largest phishing-related breach added to the tally in recent weeks was reported by Meridian Health Services in Muncie, Indiana. The incident affected nearly 111,400 individuals.
In a statement, Meridian Health Services says it determined in February that for three days in December 2019, an unauthorized third party gained access to several employee email accounts containing individuals' names, and in some cases additional information, including, dates of birth, driver's license numbers, Social Security numbers, payment card information and limited medical information.
Meridian says it's unaware of any instances involving fraud or identity theft related to the incident, but the healthcare provider is making available one year of prepaid identity and credit monitoring to those individuals whose data was exposed. Meridian also reports that it has reset the credentials of the affected email accounts and has hired a third-party forensics security firm.
Hacking, including phishing attacks will remain a top threat for healthcare sector entities in the months to come, some experts predict.
"Hackers have stepped up their efforts during the pandemic - tricking people - especially telecommuters who may be new to the 'work at home' concept - to click on a link, open an attachment, download an app, etc.," says Tom Walsh president of consulting firm tw-Security.
Some 44 unauthorized access/disclosure breaches have been added to the federal tally so far in 2020, impacting a total of 191,000 individuals.
The largest such breach, an insider incident at Arizona Endocrinology Center affected 74,000 individuals.
In a statement, the organization explains that as one of its doctors was recently preparing to leave the practice to join another medical group, the physician "downloaded basic information about patients from our electronic medical record," including patient names, phone number, address, name of primary doctor, and identifying number assigned to each patient.
Arizona Endocrinology learned about the incident after it heard from patients that the doctor's new practice used that information to send text messages to the individuals. "The text messages informed patients that [the doctor] was moving to [the new practice] and/or advertised [its] services," the statement notes.
Arizona Endocrinology notes that it has been difficult "to obtain solid assurances from [the former doctor and the new practice] that they have permanently deleted all of our patients' information, and have not used or disclosed that information for any other purpose."
Dealing With Departing Staff
Security and privacy teams need to be ready to deal with staff departures, security experts say.
"We cannot presume to know the reason for the doctor moving to a different organization, but what is often not mentioned in any type of privacy or security training is 'whose information is it, anyway?''' says Susan Lucci, senior privacy and security consultant at tw-Security.
"Some providers may assume that once they treat patients, they have rights to all their information. It appears that in this case, the physician downloaded only information that would be beneficial to alert the patient of the physician's new practice, not that it was downloaded for continuity of care. The personally identifiable information belongs to the facility, and they have a duty to protect it. Release of any confidential information must take place through appropriate channels and authorization."
As healthcare entities and their vendors continue to deal with the COVID-19 crisis, new circumstances for breaches could emerge, some experts note.
"It is possible that the COVID-19 situation could create new vulnerabilities as a result of accommodations and [HIPAA] waivers that have been granted by HHS," predicts privacy and security attorney Helen Oscislawski, principal and managing director of law firm Attorneys at Oscislawski LLC.
"For example, use of unsecure telemedicine applications runs a risk of a patient's consultation ending up on the internet," she notes.
And with HHS OCR now allowing HIPAA business associates to transmit COVID-19 data directly to public health authorities, breach risks could grow, Oscislawski says.
"The creation of new and untested flows of patient data always runs the risk of introducing new potential vulnerabilities that could lead to security incidents and compromise patient data," she notes.
The COVID-19 crisis also raises the possibility of new insider breaches, Walsh says.
"Users will snoop to determine if anyone they know has tested positive for COVID-19," he says. "Also, because of isolation of patients within the hospital, some may resort to snooping the EHR to find out a condition of a patient that is a relative, friend, co-worker or neighbor."