Sizing Up Health Data Breaches Reported in 2017 So FarIncidents Added to 'Wall of Shame' Have Been Relatively Small
Some 22 relatively small health data breaches reported in 2017 have been added so far to the official federal tally of breaches affecting 500 or more individuals.
Meanwhile, some breaches reported to federal regulators last year are still being added to Department of Health and Human Services' Office for Civil Rights' "wall of shame."
The 22 breaches reported so far in 2017 affected a total of 75,270 individuals, according to a Feb. 7 snapshot of the tally.
The largest of those breaches is a hacking incident reported on Jan. 27 by WellCare Health Plans Inc. of Florida, which affected about 25,000 individuals.
In a statement, WellCare tells Information Security Media Group that it was alerted on Dec. 27, 2016, that Summit Reinsurance Services, WellCare's former reinsurance services provider, experienced a ransomware attack to its file server on Aug. 8, 2016.
"Summit indicated that the encrypted information involved may have included names, dates of birth, addresses, member IDs, diagnoses, provider names and locations, and Social Security numbers of current and former WellCare members," the statement says. "Summit has stated there is no evidence to suggest that current or former WellCare member PHI was misused or removed from its computer system."
WellCare says it is offering affected individuals one year of free credit monitoring services.
The second largest of the breaches reported in 2017 was a hacking incident affecting Verity Health System of Redwood City, Calif., that exposed data on 10,000 individuals.
A Feb. 6 statement issued by Verity Health, which operates six hospitals, indicates that on Jan. 6, officials detected "that an unauthorized third party accessed the Verity Medical Foundation-San Jose Medical Group website, which is no longer in use."
Verity Health says it "promptly initiated an internal investigation and determined that the access occurred between October 2015 and January 2017." Breached information includes patient names, dates of birth, medical record numbers, addresses, email addresses, phone numbers and the last four digits of credit card numbers.
Among other breaches reported in 2017 that have been added to the tally are four other breaches listed as hacking/IT incidents, eight unauthorized access/disclosure breaches, four incidents involving the loss/theft of unencrypted mobile devices, three incidents involving lost paper/films; and one theft of protected health information on a medium listed only as "other."
2016 Incident Reports Added to Tally
In addition, some larger breaches reported in 2016 have been added to the federal tally since Jan. 4, when ISMG published its last snapshot (see Analysis: 2016 Health Data Breaches, and What's Ahead).
As a result, the tally for breaches reported in 2016 has grown to 327 incidents affecting a total of almost 17 million individuals. The largest of the breaches recently added to the tally was a hacking incident reported on Dec. 21 by Community Health Plan of Washington, affecting almost 382,000 individuals.
A statement issued by the not-for-profit insurance company in December says the breach resulted from a security vulnerability on the computer network of a business associate that provides it with technical services.
The CHPW incident now ranks as the 10th largest health data breach that was reported to federal regulators in 2016.
Some security experts predict that more massive health data breaches inevitably will show up on the official tally this year.
"There likely there have been some large breaches that haven't been discovered yet," says Rebecca Herold, president of SIMBUS LLC, a privacy and security cloud services firm and CEO of The Privacy Professor, a consultancy. There are likely some huge breaches that have been discovered, but the organizations experiencing them are waiting to report them until either they have done more investigation to gather more of the facts involved."
Some attorneys are advising covered entities and their business associates to delay reporting breaches until they are able to include some positive information about how there "likely is no unauthorized use of the PHI," she says. "I've also seen cases where organizations had a breach and panicked because they knowingly did not have all their HIPAA compliance requirements implemented. So they quickly put together their security and privacy program to meet all HIPAA requirements and then reported the breach in an effort to avoid getting the highest tier of penalties as a result of having no program in place, and thus being viewed as [guilty of] willful neglect."
Herold also notes that recent research from Protenus Inc., a provider of patient privacy analytics, found:
- The average time to discover PHI data breaches is about 233 days;
- Insider-wrongdoing PHI breaches often take almost three times as long to discover;
- The average time from the breach to reporting the incident to HHS was 344 days - almost a full year.
"Unfortunately the next mega breach will happen as long as criminals find it profitable to exploit security weaknesses," says Keith Fricke, co-founder and principal consultant at tw-Security.
Total Breach Tally to Date
The Feb. 7 Wall of Shame snapshot shows that since September 2009, 1,823 major breaches affecting 171.3 million individuals have been reported to federal regulators.
Hacking incidents have by far been responsible for the largest number of victims. To date, 276 hacking incidents have impacted 128.6 million individuals.
Some privacy and security experts expect the number of incidents involving cyberattacks will continue to grow.
"I anticipate a continuing rise in ransomware infections and variants," Fricke says. "Ransomware generates a lot of revenue for criminals."
Fricke also says business associates will continue to be vulnerable to breaches. "Healthcare organizations will put pressure on their business associates to prove they are managing risk to PHI entrusted to them," he says.
Fricke also expects to see more healthcare organizations increase their information security budgets after OCR begins reporting results of its 2016 HIPAA compliance desk audits and entities begin to worry about fines for noncompliance.