Ransomware, Vendor Breaches Spike on Federal TallyAnalysis of Latest Major Health Data Breaches Posted to HHS OCR Website
Hacking incidents - especially those involving ransomware attacks and vendors - continue to rack up the largest victim counts in breaches being posted in recent weeks to the federal health data breach tally.
In a little over a month, since Information Security Media Group's last snapshot on Aug. 19, some 54 major health data breaches affecting a total of nearly 4 million individuals have been added to the Department of Health and Human Services' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the website lists health data breaches affecting 500 or more individuals.
As of Tuesday, the website shows that 505 breaches have been posted to the tally in 2021 so far, affecting nearly 35.1 million individuals.
Of those, 375 were reported as hacking/IT incidents affecting nearly 33.1 million individuals - or 94% of people affected by major health data breaches so far this year.
In total, since 2009, 4,232 major health data breaches affecting nearly 307.3 million individuals have been posted on the HHS website.
Unauthorized Access, Disclosure
After hacking incidents, the second most common type of breach reported so far this year is unauthorized access/disclosure breaches. As of Monday, 105 such incidents affecting about 1.7 million individuals had been added to the tally in 2021.
Many of those reported breaches, however, also involved hacking, including a recently added unauthorized access/disclosure breach reported by UC San Diego Health that involved a phishing incident and affecting nearly 496,000 individuals.
That incident, which appears to have involved attackers having access to UC San Diego Health's network for several months before detection, is also the largest unauthorized access/disclosure breach appearing on the federal tally so far in 2021.
UC San Diego Health is the subject of a least two proposed class action lawsuits so far involving that breach (see: Lawsuits: Negligence Led to UC San Diego Health Incident).
Vendors also have been at the center of nearly 40% of breaches posted to the tally so far this year.
As of Tuesday, 201 breaches in 2021 affecting nearly 20 million individuals were reported as involving business associates.
That includes the largest breach posted to the tally in 2021 so far - a hacking/IT incident affecting 3.5 million individuals reported in January by Florida Healthy Kids Corp., an administrator of children’s dental and health insurance programs in Florida.
That incident involved a website hosting vendor that apparently failed to address vulnerabilities over a seven-year period, resulting in the exposure of personal data, as well as hackers tampering with data.
Also among the largest additions to the tally in recent weeks are an assortment of ransomware breaches and vendor incidents.
That includes a hacking/IT incident reported by the University Medical Center Southern Nevada on Aug. 13 affecting 1.3 million individuals. That incident - the seventh-largest breach added to the HHS site so far in 2021 -reportedly involved a REvil ransomware attack in July.
Another major reported hacking/IT incident added to the HHS site in recent weeks - the 13th-largest breach so far in 2021 - is also suspected to involve ransomware.
That incident was reported to HHS on Aug. 30 by Chicago-based DuPage Medical Group as affecting more than 655,000 individuals. Since the July incident, DuPage - which has only referred to the episode as a "network outage" lasting several days - has rebranded itself under a new name, Duly Health and Care.
The entity is also the defendant in at least one proposed class action lawsuit related to the incident.
A hacking/IT incident reported to HHS OCR on Aug. 25 by California-based healthcare provider LifeLong Medical Care as affecting 115,000 individuals is also among some of largest breaches added to the tally in recent weeks that involve both ransomware and a vendor.
A breach notification statement issued by LifeLong Medical Care on Aug. 24 indicates that the entity recently determined that its patients' protected health information potentially had been acquired by hackers in November 2020 ransomware incidents involving its third-party cloud-hosting vendor Netgain.
To date, more than a dozen Netgain healthcare entity clients have reported breaches related to the vendor's ransomware incident, affecting hundreds of thousands of individuals in total (see: Breach Victims Piling Up in Wake of Cloud Vendor Attack).
"Vendor data breaches in healthcare are running higher in 2021 than we’ve seen in previous years," says Susan Lucci, who tracks breach trends as a senior privacy and security consultant at consultancy tw-Security.
"In the second quarter of 2021, nearly 70% of all the individuals impacted by large data breaches as reported to HHS were caused by business associates," she notes.
Managing Vendor Risks
Because vendors are increasingly at the center of significant health data breaches, it is more critical than ever that healthcare entities, as well as the vendors themselves, carefully assess and mitigate these growing supply chain risks, experts note.
"The 'chain of custody' of a covered entity's PHI has been a challenging and risky topic" for years, says Kate Borten, president of privacy and consulting firm The Marblehead Group.
"Small covered entities have limited security resources and are pretty much at the mercy of their typically larger business associates and subcontractors," she notes.
But midsize and larger covered entities are in a better position to impose more oversight and control when it comes to their vendors, she says.
"Today, many large health plans, for example, often perform routine audits of their BAs. And many midsize and large providers vet prospective BAs through interviews and more formal questionnaires."
Additionally, covered entities should take advantage of their business associate agreements, "by periodically checking on all involved vendors to help ensure the vendors understand they are being monitored," she notes.
"This should lead to more transparency and incentive to invest in strong security programs."
Long lags that sometimes occur between a business associate discovering a data security incident and the determination that the PHI of their clients' patients was compromised in the event adds to the risks posed by vendors, according to Lucci.
"The process of determining whether an unauthorized access has taken place can take a relatively long time," she says.
For instance, in the case of Lifelong and Netgain, it appears to have taken approximately three months before Netgain determined that data had been compromised, Lucci notes.
"Then, it wasn’t until nearly six months later before Lifelong determined that significant PHI and personally identifiable information had been compromised."
The takeaway is that business associate agreements must require notification within a very short period of time, such as five business days, and should also include similar requirements for any subcontractors of the business associate, she suggests.
"The notification process to both individuals and HHS have time constraints," Lucci adds.
"Having to notify individuals that a data breach has occurred is something that no healthcare organization wants to do. But doing so many months after the breach took place can be even more troublesome."