Analysis: Third-Party Health Data Breaches Dominated in 2022HHS Breach Tally Signals Biggest Risks, Threats Likely in 2023
Hacking and business associate incidents were the crux of many of the largest health data breaches reported to federal regulators in 2022, foreshadowing the top risks and threats that will more than likely continue to plague healthcare entities and their vendors this year.
In 2022, some 701 major breaches affected nearly 59 million individuals, according to a snapshot on Tuesday of the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Hacking/IT incidents dominated, and 549 such breaches affected nearly 44 million people. That means hacking/IT incidents, such as ransomware attacks, accounted for nearly 80% of the breaches reported and were responsible for about 75% of people affected by all major health data breaches in 2022.
The largest of those incidents - and the biggest breach posted on the HHS site overall in 2022 - was an apparent ransomware attack on a mailing and printing services vendor, Wisconsin-based OneTouchPoint, which affected 4.1 million individuals.
Overall, 249 reported breaches involved business associates, affecting a total of nearly 24.1 million people. Vendors were at the center of nearly 36% of the reported breaches and responsible for about 42% of those people affected.
Other hacking incidents that hit business associates amounted to superspreaders, affecting their covered entity clients and ultimately their patients.
For instance, a hacking incident involving cloud-based Eye Care Leaders detected in December 2021, resulted in dozens of covered entity clients reporting breaches affecting more than 3 million individuals in 2022.
"We continue to see ransomware incidents, including exfiltration of protected health information and extortion, as the most prevalent threat to HIPAA-covered entities and business associates, followed closely by business email compromise incidents," says privacy attorney Iliana Peters of the law firm Polsinelli.
The largest business email compromise breach appearing on the HHS OCR website in 2022 was reported last March by Illinois-based Christie Business Holdings Company, P.C, which operates Christie Clinic, affecting nearly 503,000 individuals (see: Illinois Clinic Says Nearly 503,000 Affected in Email Breach).
Unauthorized access/disclosure breaches were the second-most-common type of breach reported, and 113 such incidents affected more than 7.5 million individuals.
Three of those breaches - reported by North Carolina-based WakeMed Health and Hospitals; Advocate Aurora Health, a Midwest health system; and Indiana-based Community Health Network - accounted for nearly 5 million of those affected by unauthorized access/disclosure incidents - each involving the healthcare providers' use by the Meta Pixel tracking code in their websites (see: Judge Denies Motion to Stop Health Data Scraping by Meta).
Meta faces a proposed consolidated class action lawsuit in a San Francisco federal court alleging that Facebook's parent company violated medical privacy laws by obtaining data from its web tracking Pixel tool embedded into patient portals and scheduling apps.
On the brighter side, breaches involving theft or loss of unencrypted computing devices/media continued to drop in 2022. Only 23 such incidents were reported, affecting a total of nearly 316,000 individuals.
The HHS OCR website in total shows 5,146 major health data breaches affecting more than 382 million individuals reported since September 2009.
10 Largest Health Data Breaches Reported in 2022
|Advocate Aurora Health
|Shields Health Care Group
|Professional Finance Company
|Baptist Medical Center
|Community Health Network
|Texas Tech University Health Sciences Center
What's at Stake
The breach patterns seen in 2022 emphasize the importance of thinking beyond known risks and implementing strong information security and data protection measures, says attorney Andrew Mahler, vice president of privacy and compliance at consulting firm CynergisTek, a part of Clearwater.
"HIPAA-covered entities and business associates should consider performing tabletop exercises that rely on internal policies and procedures to evaluate how well the organization is able to respond to threats and incidents," he says.
Peters suggests that all covered entities and business associates ensure that they have implemented strong administrative and technical safeguards to address these risks. This includes robust training on phishing and thorough incident response policies and procedures, she says.
Also, as third-party risks sharply rise, it is essential that organizations consider and manage vendor risk as part of the overall risk analyses, Mahler says.
This includes not only an evaluation of vendors' policies and procedures, "but also means asking difficult questions, such as, 'Is it simply too risky to share health information with a particular vendor?'" he says.
If active management of vendors and risks are not already in place, Mahler says, organizations should take proactive steps to work with vendors to remediate identified issues and implement an ongoing vendor management process.
Dave Bailey, vice president of security services at CynergisTek, says the stakes are getting even higher for healthcare entities and their vendors in terms of the potential consequences in major security incidents.
"The number of threats and vulnerabilities will continue to rise, and the severity of the impacts will increase if we don't adapt," he says. "If not, I fear we will move beyond the current financial implications of cyberattacks and risk patient harm."
As of Tuesday, only three breaches reported in 2023 had been posted to the HHS OCR website. The largest, an email hacking incident affecting nearly 5,300 individuals, was reported on Jan. 3 by Texas-based Live Oak Surgery Center.
In the weeks and months to come, as HHS OCR continues to review and confirm details of other breach reports filed late last year, more 2022 breaches will likely be posted to the agency's website.