[BreachExchange] Health Data Breach Tally Update: A Puzzling Omission

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 29 21:15:19 EST 2018


So far in 2018, 15 health data breaches have been reported to federal
regulators, affecting a combined total of nearly 391,000 individuals.

But despite numerous ransomware attacks in the healthcare sector grabbing
headlines, relatively few such incidents are showing up on the official
federal tally. That could be because organizations are inappropriately
underreporting these incidents. In some cases, however, investigations may
have determined the attacks did not compromise patients' protected health

Most of the breaches added in January to the Department of Health and Human
Services' Office for Civil Rights' HIPAA Breach Reporting Tool website of
major health data breaches - commonly called the "wall of shame" - occurred
in late 2017 but were reported in recent weeks. Under HIPAA, organizations
must report breaches impacting 500 or more individuals to federal
regulators and affected individuals within 60 days.

So far, the three largest breaches reported in 2018 are listed as
hacking/IT incidents. A variety of other breaches have been added to the
tally, including six listed as unauthorized access/disclosure; three tied
to losses or thefts; and two involving the improper disposal of papers and
films. No ransomware attacks, however, were added.

Variety of Causes

The wide assortment of breaches serves as a reminder that entities need to
stay on their toes, whether it's safeguarding electronic PHI from hackers
or taking steps to prevent missteps.

The largest incident posted to the federal tally so far in 2018 was a
"hacking/IT incident" impacting nearly 280,000 Medicaid patients reported
by the Oklahoma State University Center for Health Sciences. A notification
letter OSUCHS sent to affected individuals notes that the incident was
discovered In November 2017.

The second largest breach posted was a hacking incident involving email
reported jointly on Jan. 12 by Onco360 Oncology Pharmacy and CareMed
Specialty Pharmacyand affecting more than 53,000 individuals.

A notification statement issued jointly by Onco360 and CareMed says that on
Nov. 14, "suspicious activity involving an employee's email account was

On Nov. 30, a forensic investigation determined that an unauthorized user
appeared to have gained access to email accounts of three employees, the
statement notes. "A detailed review of the impacted e-mail accounts was
performed, and on Jan. 8, 2018, it was determined that a limited number of
those emails may have contained demographic information, medication and
clinical information, health insurance information and Social Security
numbers of some of the patients receiving services from Onco360 and CareMed
Specialty Pharmacy," according to the statement.

A "very small" but undisclosed number of individuals also may have had
their financial account information impacted, the notification states.
"Prompt measures were taken to address this incident, including changing
email account passwords, providing additional training to employees on
recognizing suspicious emails, implementing additional measures to further
enhance e-mail security and reporting the incident to law enforcement," the
organizations note.

Affected individuals are being offered free credit monitoring and identity
protection services.

The third largest breach posted was reported on Jan. 5 by Florida's Agency
for Health Care Administration, which regulates healthcare facilities and
is responsible for administering Medicaid. The agency says the hacking/IT
incident, which affected 30,000 individuals, involved a phishing attack on
Nov. 15, 2017.

In total, a Jan. 29 snapshot of the federal breach tally shows 2,196
incidents reported since September 2009 affecting a total of nearly 177.1
million individuals. Of those, 420 breaches are reported as hacking/IT
incidents affecting about 134.4 million individuals, or 76 percent of those
impacted by all the breaches on the tally.

Where's the Ransomware?

Despite the rising number of hacking incidents appearing on the tally -
especially over the last two years, noticeably missing from the wall of
shame are many breaches reported as involving ransomware. In fact, a
spreadsheet downloadable via the wall of shame that provides details of
OCR's investigations into each major reported breach shows only 16 breaches
that are officially described by the agency as having involved ransomware.

But a number of highly publicized healthcare incidents involving ransomware
over the last two years - including 2016 incidents at Hollywood
Presbyterian Medical Center and MedStar Health - are not listed on the wall
of shame, despite OCR guidance issued in 2016 suggesting that most
ransomware incidents involving PHI should be considered breaches.

So are ransomware breaches being underreported by healthcare entities and
business associates?

"I am not surprised by the ransomware numbers," says privacy attorney Kirk
Nahra of the law firm Wiley Rein. "The HHS guidance does not say that
breach notification is required - it says that a ransomware incident -
usually - involves unauthorized access to PHI, and that therefore you need
to go through the risk assessment exercise to determine if notice is
required. In many of the more common ransomware situations, it will be
feasible and appropriate to determine that the data was not misused in any
way that created material risks to the patients, as long as the information
was not destroyed in some way," he says.

"So, there will be lots of ransomware situations where the rule does not
require notice to individuals. I don't think this is an enforcement issue
at this point; it's more a question of what ransomware is actually doing
and how it impacts both individual patients and health care operations. "

Lingering Confusion?

Susan Lucci, chief privacy officer of security and privacy consulting firm
Just Associates, says she suspects there is still lingering confusion about
reporting ransomware breaches to OCR and that some organizations could be
simply reporting these events as a hacking incident.

"It certainly should be a clear requirement considering a government
interagency report determined that there are about 4,000 ransomware attacks
daily since 2016, she says. "Covered entities and business associates want
to do the right thing, and confusion can contribute to misreporting."

Lucci also notes that some cyberattacks first considered as involving
ransomware turn out to not actually involve extortion schemes, including
the attack against Nuance (see Nuance: NotPetya Attack Was Not a Reportable
Health Data Breach).

Ransomware "also highlights the importance of some of the more 'mundane'
elements of the HIPAA Security Rule, like back-ups and contingency
operations," Nahra notes.

"We will see these ransomware numbers go up, but that's because there are a
lot of these incidents and some of them will require reporting," he says.
"It is critical for covered entities and business associates to pay
attention to the kinds of things that are being reported along with media
reports and other things that may touch on other incidents that do not get
reported as a means of staying on top of appropriate security practices and
guarding against 'common' problems. "
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180129/9e06fd9b/attachment.html>

More information about the BreachExchange mailing list