[BreachExchange] Health Data Breach Tally Spikes in Recent Weeks

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 17 18:49:34 EDT 2018


https://www.databreachtoday.com/health-data-breach-tally-
spikes-in-recent-weeks-a-10816

The reporting of major health data breaches to federal regulators has
spiked in recent weeks. So what's behind the surge?

As of Tuesday, the Department of Health and Human Services' HIPAA Breach
Reporting Tool website - commonly called the "wall of shame" - showed 86
major health data breaches affecting more than 1 million individuals had
been added to the tally so far this year.

Nearly half of those incidents have been posted to the wall of shame since
March 15, the last time Information Security Media Group analyzed the
federal breach tally (see Health Data Breaches Added to Tally Vary Widely).

Is there a key reason why the number of breaches reported to federal
regulators has surged in the last month?

"I suspect it is just a coincidence of some kind and not a reflection of
any larger trend," says privacy attorney Kirk Nahra of the law firm Wiley
Rein.

To date, the federal tally shows that hacker/IT incidents represent nearly
a quarter of the breaches reported in 2018, but they're responsible for
impacting about 613,000 individuals - or more than half of the total
victims so far this year.

But hackers are only a part of the picture. An assortment of other
incidents have also contributed to the victim count this year.

For instance, lost or stolen unencrypted devices continue to dot the wall
of shame.

So far this year, 18 incidents involving lost or stolen unencrypted laptops
and other computer equipment, impacting about 68,000 individuals, have been
added to the tally this year.

Unauthorized Access, Disclosure

The most frequently reported type of breach reported so far this year is
"unauthorized access/disclosure." The 38 such breaches reported impacted
about 339,000 individuals.

Breach notifications from some of the organizations reporting those
incidents show a wide range of circumstances involved.

For instance, an "unauthorized access/disclosure" breach reported on March
29 by Middletown Medical impacted about 64,000, making it the fifth largest
breach added to the federal tally in 2018.

A notification statement from the New York-based practice indicates that on
Jan. 29, the entity learned that a security setting on a radiology
interface "may have permitted users to see a patient listing and, in a
limited number of cases, may have allowed unauthorized users to access
limited electronic patient information."

Middletown Medical says that it "modified the interface and terminated any
potential unauthorized access to the patient listing and electronic patient
information."

One of the most recent "unauthorized access/disclosure" breaches added to
the tally was an email incident reported on April 12 by Polk County Health
Services in Iowa. It affected about 1,000 individuals - and lasted nearly
four years.

A notification from the organization, which is the regional administrator
and the governing board for mental health and disability services on behalf
of Polk County, Iowa, notes that the breach occurred from June 1, 2014, to
Jan. 11, 2018.

"During this period, Polk County Health Services accidentally and
unknowingly disseminated personal and protected health information of
individuals who have received services at the Crisis Observation Center in
Des Moines, Iowa. Polk County Health Services became aware of the potential
breach on Feb. 14, 2018."

Data exposed included full name, home address, Social Security number,
Medicaid identification number, date of admission to the Crisis Observation
Center and discharge location. Polk County Health Services is offering
those affected one year of free credit and identity monitoring.

Lessons to Learn

Nahra says other entities must learn from the assortment of breaches being
reported in the healthcare sector.

"Companies need to place a high priority on internal monitoring - both to
find unusual activity and to keep an eye on employee behavior," Nahra says.
"The 'worst' situations are those where someone is misusing a system - a
hacker or internal person - for an extended period of time without getting
caught."

Although hacker-related breaches so far this year continue to account for a
high percentage of health data breach victims, the total victim counts in
these recent hacker incidents remain much lower than the huge cyberattacks
reported in the healthcare sector in 2015.

To date, the largest health data breach on record in the U.S. remains the
hacker attack on Anthem Inc., reported in February 2015, which impacted
nearly 79 million individuals.

"Hacker breaches obviously can have big numbers," Nahra says. "Companies
need to be policing their systems and thinking about ways to wall off data
so that hackers cannot access as much information. I hope that the reduced
number of 'mega' breaches is a reflection of better practices, but I
suspect it is just a coincidence.

Since 2009 - when HHS began publicly posting its tally of reported breaches
impacting 500 or more individuals - 2,267 major health data breaches have
affected a total of nearly 177.8 million individuals.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180417/b9fb3e7b/attachment.html>


More information about the BreachExchange mailing list