[BreachExchange] Sizing Up Health Data Breaches Reported in 2017 So Far

[Audrey McNeil]

http://www.databreachtoday.com/sizing-up-health-data-
breaches-reported-in-2017-so-far-a-9673

Some 22 relatively small health data breaches reported in 2017 have been
added so far to the official federal tally of breaches affecting 500 or
more individuals.

Meanwhile, some breaches reported to federal regulators last year are still
being added to Department of Health and Human Services' Office for Civil
Rights' "wall of shame."

The 22 breaches reported so far in 2017 affected a total of 75,270
individuals, according to a Feb. 7 snapshot of the tally.

The largest of those breaches is a hacking incident reported on Jan. 27 by
WellCare Health Plans Inc. of Florida, which affected about 25,000
individuals.

In a statement, WellCare tells Information Security Media Group that it was
alerted on Dec. 27, 2016, that Summit Reinsurance Services, WellCare's
former reinsurance services provider, experienced a ransomware attack to
its file server on Aug. 8, 2016.

"Summit indicated that the encrypted information involved may have included
names, dates of birth, addresses, member IDs, diagnoses, provider names and
locations, and Social Security numbers of current and former WellCare
members," the statement says. "Summit has stated there is no evidence to
suggest that current or former WellCare member PHI was misused or removed
from its computer system."

WellCare says it is offering affected individuals one year of free credit
monitoring services.

The second largest of the breaches reported in 2017 was a hacking incident
affecting Verity Health System of Redwood City, Calif., that exposed data
on 10,000 individuals.

A Feb. 6 statement issued by Verity Health, which operates six hospitals,
indicates that on Jan. 6, officials detected "that an unauthorized third
party accessed the Verity Medical Foundation-San Jose Medical Group
website, which is no longer in use."

Verity Health says it "promptly initiated an internal investigation and
determined that the access occurred between October 2015 and January 2017."
Breached information includes patient names, dates of birth, medical record
numbers, addresses, email addresses, phone numbers and the last four digits
of credit card numbers.

Among other breaches reported in 2017 that have been added to the tally are
four other breaches listed as hacking/IT incidents, eight unauthorized
access/disclosure breaches, four incidents involving the loss/theft of
unencrypted mobile devices, three incidents involving lost paper/films; and
one theft of protected health information on a medium listed only as
"other."

2016 Incident Reports Added to Tally

In addition, some larger breaches reported in 2016 have been added to the
federal tally since Jan. 4, when ISMG published its last snapshot (see
Analysis: 2016 Health Data Breaches, and What's Ahead).

As a result, the tally for breaches reported in 2016 has grown to 327
incidents affecting a total of almost 17 million individuals. The largest
of the breaches recently added to the tally was a hacking incident reported
on Dec. 21 by Community Health Plan of Washington, affecting almost 382,000
individuals.

A statement issued by the not-for-profit insurance company in December says
the breach resulted from a security vulnerability on the computer network
of a business associate that provides it with technical services.

The CHPW incident now ranks as the 10th largest health data breach that was
reported to federal regulators in 2016.

Undiscovered Breaches

Some security experts predict that more massive health data breaches
inevitably will show up on the official tally this year.

"There likely there have been some large breaches that haven't been
discovered yet," says Rebecca Herold, president of SIMBUS LLC, a privacy
and security cloud services firm and CEO of The Privacy Professor, a
consultancy. There are likely some huge breaches that have been discovered,
but the organizations experiencing them are waiting to report them until
either they have done more investigation to gather more of the facts
involved."

Some attorneys are advising covered entities and their business associates
to delay reporting breaches until they are able to include some positive
information about how there "likely is no unauthorized use of the PHI," she
says. "I've also seen cases where organizations had a breach and panicked
because they knowingly did not have all their HIPAA compliance requirements
implemented. So they quickly put together their security and privacy
program to meet all HIPAA requirements and then reported the breach in an
effort to avoid getting the highest tier of penalties as a result of having
no program in place, and thus being viewed as [guilty of] willful neglect."

Herold also notes that recent research from Protenus Inc., a provider of
patient privacy analytics, found:

The average time to discover PHI data breaches is about 233 days;
Insider-wrongdoing PHI breaches often take almost three times as long to
discover;
The average time from the breach to reporting the incident to HHS was 344
days - almost a full year.

"Unfortunately the next mega breach will happen as long as criminals find
it profitable to exploit security weaknesses," says Keith Fricke,
co-founder and principal consultant at tw-Security.

Total Breach Tally to Date

The Feb. 7 Wall of Shame snapshot shows that since September 2009, 1,823
major breaches affecting 171.3 million individuals have been reported to
federal regulators.

Hacking incidents have by far been responsible for the largest number of
victims. To date, 276 hacking incidents have impacted 128.6 million
individuals.

Some privacy and security experts expect the number of incidents involving
cyberattacks will continue to grow.

"I anticipate a continuing rise in ransomware infections and variants,"
Fricke says. "Ransomware generates a lot of revenue for criminals."

Fricke also says business associates will continue to be vulnerable to
breaches. "Healthcare organizations will put pressure on their business
associates to prove they are managing risk to PHI entrusted to them," he
says.

Fricke also expects to see more healthcare organizations increase their
information security budgets after OCR begins reporting results of its 2016
HIPAA compliance desk audits and entities begin to worry about fines for
noncompliance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170207/195bbc54/attachment.html>