Breach Notification , Critical Infrastructure Security , Fraud Management & Cybercrime
More Major Hacking Incidents Added to HHS Breach TallyLatest Analysis of Federal Health Data Breach Reporting Site
Five of the 10 largest health data breaches so far in 2022 - affecting millions of individuals - have been added to the federal tally in just the last month as the latest wave of major hacking/IT incidents being reported to regulators continues to grow.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
A snapshot Thursday of the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows that hacking/IT incidents were involved in more than 80% of large HIPAA breaches reported to federal regulators since January, but those incidents were responsible for nearly 97% of all individuals affected by major health data breaches posted to the tally so far this year.
The HHS Office for Civil Rights website, commonly called the "wall of shame," lists health data breaches affecting 500 or more individuals.
As of Thursday morning, the HHS website shows 165 breaches posted in 2022, affecting more than 8.43 million individuals. A little more than a month ago, an Information Security Media Group snapshot of the HHS site showed 117 breaches, affecting about 5.32 million people, posted on the federal tally in so far 2022 (see: HHS OCR Tally Analysis: Breaches, Affected Individuals Surge).
Over the last month, the additions to the tally included five of the year's largest health data breaches, which were all hacking/IT incidents. Those five breaches were reported by:
- North Dakota-based Adaptive Health Integrations - Nearly 510,600 individuals affected;
- Illinois-based Christie Business Holdings Company, P.C. - Operates Christie Clinic, nearly 503,000 individuals affected;
- California-based SuperCare Health Inc. - Nearly 318,400 individuals affected;
- Georgia-based Cytometry Specialists, Inc. -Does business as CSI Laboratories, 312,000 individuals affected;
- Texas-based Clinic of North Texas - Nearly 244,200 individuals affected.
10 Largest Health Data Breaches in 2022, So Far
|Breached Entity||Individuals Affected|
|Broward Health||1.35 million|
|Adaptive Health Integrations*||510,600|
|Christie Business Holdings*||503,000|
|Monongalia Health System||493,000|
|South Denver Cardiology Associates||288,000|
|Clinic of North Texas*||244,200|
|Norwood Clinic *||228,000|
(Source: U.S. Department of Health and Human Services)
Since 2009, some 4,607 breaches affecting more than 331.3 million individuals have been posted to the HHS OCR website.
Of the breaches posted to the federal tally so far in 2022, 130 were reported as hacking/IT incidents, affecting 8.15 million individuals. That means hacking/IT incidents were involved in nearly 8 in 10 breaches posted to the HHS site so far in 2022, and those incidents were responsible for a whopping 97% of individuals affected.
The second most commonly reported breach so far in 2022 is "unauthorized access/disclosure" breaches. To date, there are 29 such incidents, affecting nearly 166,000 individuals, posted to the HHS site in 2022.
To date, there have been only five data breaches, affecting a total of about 112,000 individuals, reported as theft/loss of unencrypted computing devices posted in 2022. In years past, that type of breach dominated the HHS breach tally. So, the positive trend continues: More entities are encrypting the protected health information contained on these devices, which also serves as a safe harbor in not having to report such theft and loss incidents to HHS as HIPAA breaches.
So far in 2022, the HHS site shows only one improper disposal breach, which was reported on April 14 by North Carolina-based healthcare provider Mountain Area Health Education Center, which does business as MAHEC, as involving paper/film and affecting 1,115 individuals.
The federal tally also shows that sometimes breaches that get reported to HHS OCR end up affecting many more people than first reported to the agency.
That was the case in a ransomware breach reported last June by California-based Smile Brands Inc., a business associate that provides support services to dental practices. The HHS website shows that at that time, Smile Brands reported a hacking/IT incident involving a network server as affecting about 199,700 individuals.
But Smile Brands recently filed an updated breach report to the Maine attorney general's office about that incident, stating that the incident actually affected about 2.6 million individuals - or about 13 times as many people than originally reported.
Smiles Brands did not immediately respond to ISMG's request for additional details, including clarification about the huge jump in the number of individuals affected by the breach.
Some experts say that the regulatory requirements involving data breach notification timelines can sometimes create challenges in terms of the accuracy of information initially provided by breached entities in their regulatory reports.
For instance, under the HIPAA breach notification rule, an organization must notify affected individuals and HHS without unreasonable delay and within 60 days of discovering a breach affecting 500 or more individuals.
But some regulatory timelines - such as recent federal reporting mandates, including those requiring critical infrastructure sector owners to report ransomware incidents within 72 hours and ransomware payments within 24 hours - are even more challenging, some experts say (see: Why New Incident Reporting Mandates Are Groundbreaking).
"This is one of the arguments against three-day reporting of incidents," says Michael Hamilton, CISO of security firm Critical Insight and former CISO of the city of Seattle. "It takes time to determine the full extent of a records breach, and early reporting frequently must be modified."
Keith Fricke, principal consultant at privacy and security consulting firm tw-Security, offers a similar assessment. "Incident response and forensic investigation takes time, especially when the victim organization is large and has voluminous data and logs to review to determine scope of a breach," he says. "Sometimes an organization discovers that additional systems were accessed or compromised than were originally identified. If a breached organization did not completely address weaknesses that allowed criminals to gain unauthorized access, they may be able to sustain that access or regain access, leading to an increase in the scope of an initial breach."
The continuing trend of hacking incidents being the dominant type of breach reported to regulators won't abate anytime soon - and might even worsen, some experts predict.
"I believe the hacking will get more obvious, and the targets will become more important and more aligned with critical infrastructure - which includes the health sector," Hamilton says.
"My fear is that the use of wipers, or killware, will become more prevalent, and organizations will be intentionally crippled. It’s going to look like criminals did it, but there will be no decryption key provided because the point is to ramp up the pain as a retaliation for support for Ukraine," he says.
To help battle this trend, Hamilton says the private sector - including the health sector - must work more closely with the federal government in terms of sharing threat and event information.
"There are many initiatives to improve this coordination, and having key federal agencies in the fight alongside is likely the best way to curtail the hacking. The alternative is: More advice; implement these controls; rinse and repeat. That’s not working."
Fricke agrees that if tensions between Russia and the United States/NATO escalate, organizations should expect to see more cyberattacks.
"If they aren’t already doing so, organizations need to patch operating systems and applications to address security vulnerabilities, along with conducting internal phishing campaigns, phishing training, and proactive monitoring of network and system logs," he says. Fricke also says covered entities should be performing risk assessment of their vendors prior to signing contracts and periodically thereafter to the extent possible.