Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Tracking Common Causes of Recent Health Data Breaches

Analyzing Trends Reflected on 'Wall of Shame' Tally So Far This Year
Tracking Common Causes of Recent Health Data Breaches

The biggest health data breaches added to the federal tally so far this year are classified as "hacking/IT incidents" by federal authorities.

See Also: Check Kiting In The Digital Age

These incidents, which include ransomware and phishing attacks - as well as misconfigured IT - are the culprits in nearly two-thirds of the 81 major health data breaches that have been added to the U.S. Department of Health and Human Services HIPAA Breach Reporting Tool website so far this year.

Those 51 hacking/IT incidents affected nearly 2.8 million individuals, or more than 90 percent of the 3 million individuals affected by breaches added to the tally so far in 2019.

Commonly called the wall of shame, the HHS website lists health data breaches affecting 500 or more individuals that have been reported to federal authorities.

A snapshot on Monday shows that 2,667 major health data breaches affecting nearly 193.9 individuals have been posted to the HHS website since 2009.

5 Largest Health Data Breaches Reported in 2019 So Far

Breached Entity Individuals Affected
UW Medicine 974,000
Columbia Surgical Specialist of Spokane 400,000
UConn Health 326,000
ZOLL Services LLC 277,000
Centerstone Insurance and Financial Services (d/b/a BenefitMall) 112,000
Source: U.S. Department of Health and Human Services

Breach Trends

The largest health data breach added to the tally so far this year, which was listed as a hacking/IT incident, involved a misconfigured database reported in February by UW Medicine. That incident potentially exposed on the protected health information of 974,000 individuals for several weeks late last year.

UW Medicine said in a statement that last December, it became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet. The Seattle, Washington-based academic medical system says the misconfigured database at UW Medicine was the result of a coding error when data was being moved onto a new server.

A server mishap was also the culprit in a breach reported to HHS in March by Zoll Services, a provider of emergency medical devices. That incident, which impacted 277,000 individuals, involved a third-party vendor migrating a server containing Zoll's archived email.

The other breaches among the five largest added to the HHS site so far this year were hacking incidents stemming from ransomware and phishing attacks.

In February, Columbia Surgical Specialists of Spokane, Washington, reported a hacking incident involving ransomware that impacted the PHI of 400,000 individuals.

A phishing incident at UConn Health reported in February affected 326,000 individuals. Another phishing incident was reported in January by a payroll HR/administration vendor - Centerstone Insurance and Financial Services, which does business as BenefitMall. That breach affected about 112,000 individuals.

"Phishing continues to be easier access for cybercriminals than it should be," says Susan Lucci, senior privacy and security consultant at tw-Security. "While many covered entities are educating their workforce on how to recognize and report phishing attacks, we continue to observe that when these organizations conduct phishing expeditions through a managed process, the results are worse than they expected."

Vendor Incidents

The breaches reported by Zoll and BenefitMall involved third-party vendors, spotlighting once again the risks posed by business associates.

So far in 2019, business associates were reported to be involved in more than a quarter of the major health data breaches added to the federal tally. Those 27 incidents reported as involving BAs so far in 2019 impacted a total of nearly 690,000 individuals, according to the HHS site.

Lucci says covered entities need to be proactive in their security risk management involving vendors.

"If covered entities are not obtaining reasonable assurances in writing as to their BA's compliance efforts, with some evidence of that compliance, they are risking a partner who may not be protecting PHI and personally identifiable information in the same manner that is required by federal and state regulation," Lucci notes.

"All too often, after a business associate is working with a covered entity, the lines of communication focus only on the business services and deliverables. A business associate is an extension of the CE's workforce and privacy and security communications should be taking place between the CE and their BAs."

Other Incidents

While hacking/IT incidents are dominating the breach victim tally so far in 2019, the HHS website also illustrates other common breach causes.

For instance, 12 breaches affecting a total of nearly 124,000 individuals each stemmed from thefts or losses. Nine involved unencrypted computing devices, such as laptops or desktop computers, while three involved paper/film records.

In addition, 17 breaches caused by unauthorized access/disclosure affected a total of nearly 96,200 individuals.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.