At Half-Year Mark, Ransomware, Vendor Breaches Dominate

Latest Analysis of HHS OCR Health Data Breach Trends
At Half-Year Mark, Ransomware, Vendor Breaches Dominate
A screenshot of HHS OCR's HIPAA breach reporting website

Ransomware incidents and breaches involving business associates affecting millions of individuals dominate the hundreds of major health data breaches reported so far this year to federal regulators.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

The trends underscore a troubling weakness for the healthcare industry, which depends on third parties to process claims, handle billing and otherwise operate the administrative side of medical care.

Business associates, many of which are small companies, often lack adequate cybersecurity despite processing data of immense value to hackers.

Numbers tallied by the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows some 360 major breaches so far this year affecting nearly 22.5 million individuals posted to the tally since the start of 2022.

The number of affected individuals is likely an undercount, since the HHS' Office for Civil Rights' website only lists health data breaches affecting 500 or more individuals.

The vast majority of breaches so far - 287 breaches affecting nearly 21.9 million individuals - were reported as hacking/IT incidents.

In fact, all of the 10 largest health data breaches added so far this year were reported as hacking/IT incidents. Of those, at least eight have been reported as involving ransomware and/or data exfiltration.

The second most frequently reported type of breach in 2022 is "unauthorized access/disclosure" incidents. There were about 54 of those incidents, affecting a mere 281,000 individuals.

10 Largest Health Data Breaches in 2022, So Far

Breached Entity Individuals Affected
Shields Health Care Group* 2 million
Professional Finance Company* 1.9 million
Broward Health* 1.35 million
Texas Tech University Health 1.3 million
Baptist Medical Center* 1.2 million
Partnership HealthPlan of California* 855,000
MCG Health* 793,000
Yuma Regional Medical Center* 737,500
Morley Companies* 521,000
Adaptive Health Integrations 510,600
*Reported as involving ransomware and/or data exfiltration
Source: U.S. Department of Health and Human Services

Vendor Breaches

Business associates that handle protected health information on behalf of their covered entity clients have been at the center of at least 136 breaches affecting 9.87 million individuals.

That means vendors business associates were involved in about half of all major health data breaches - 47% of the major HIPAA breaches reported capturing 45% of all individuals affected.

Of the 10 largest HIPAA breaches posted on the HHS site so far in 2022, at least four were reported as involving business associates.

That includes the two largest breaches so far this year - a data exfiltration incident reported by medical imaging services provider Shields Health Care Group that affected 2 million individuals, and a ransomware incident involving accounts receivables services firm Professional Finance Company, that affected 1.9 million people and hundreds of covered entity clients.

Also among the top 10 largest breaches is a hacking incident affecting nearly 1.3 million individuals reported by Texas Tech University Health Sciences.

Texas Tech is among a growing list of several dozen covered entities affected by a data deletion incident disclosed earlier this year involving cloud-based electronic health records vendor Eye Care Leaders.

Disturbing Trends

The growing trend of record loss due to third parties is unsurprising, given the preference of ransomware operators not to attract too much unwanted attention by directly disrupting medical care, says Michael Hamilton, CISO of security firm Critical Insight.

For cybercriminals, "records theft is safer, is highly monetizable, and doesn’t draw the fire of the federal government," says Hamilton, the former CISO of the city of Seattle.

Also fueling health data breach trends is the attractive nature of patient information, says Jim Van Dyke, senior vice president of innovation at Sontiq, a TransUnion company.

Patient data can often be used for a wider variety of identity crimes than data sourced from entities outside the healthcare sector, he says.

"Health sector firms simply need to operate with a broader array of consumer data - spanning personally identifiable information, PHI and financial or payment account data - than financial sector, government or commerce sector entities, and in turn this makes them more likely to be the target of hackers."

Making matters worse, many business associates in the healthcare sector are smaller companies that do not make sufficient investments into security to protect the sensitive patient information they handle, Hamilton says.

"I think what we’re seeing is a changing 'go-to-market strategy' for many ransomware and other extortion operations."

Addressing Weaknesses

Nicholas Heesters, HHS OCR senior adviser for cybersecurity, during a presentation at Information Security Media Group's annual healthcare security summit in New York City this week, told attendees that the volume of breaches being reported to the agency is steadily growing each year.

Currently, ransomware-related incidents are among the leading types of hacking IT incidents being reported to HHS OCR, he adds.

HHS OCR's investigations into these and other breaches continue to find that many healthcare sector entities are notably still lacking multifactor authentication, he says.

Many covered entities and business associates are still often found to be deficient in conducting and documenting comprehensive enterprise security risk analysis, which potentially could have helped the organizations identify areas of weakness to be mitigated prior to suffering massive breach incidents, he says.

Hamilton offers a similar assessment based on what he sees.

"Looking at the two main initial access vectors for hacking incidents, it is people falling victim to phishing and giving up passwords and unpatched internet-facing vulnerabilities that are exploited," he says.

"Given that reality, vulnerability management and user training become critically important. Additionally, a policy of personal use on personal devices will insulate covered entity systems from unfiltered messaging systems, such as personal email, social media, etc."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.