At Half-Year Mark, Ransomware, Vendor Breaches Dominate
Latest Analysis of HHS OCR Health Data Breach TrendsRansomware incidents and breaches involving business associates affecting millions of individuals dominate the hundreds of major health data breaches reported so far this year to federal regulators.
See Also: Survey: State of Security Automation in Financial Services
The trends underscore a troubling weakness for the healthcare industry, which depends on third parties to process claims, handle billing and otherwise operate the administrative side of medical care.
Business associates, many of which are small companies, often lack adequate cybersecurity despite processing data of immense value to hackers.
Numbers tallied by the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows some 360 major breaches so far this year affecting nearly 22.5 million individuals posted to the tally since the start of 2022.
The number of affected individuals is likely an undercount, since the HHS' Office for Civil Rights' website only lists health data breaches affecting 500 or more individuals.
The vast majority of breaches so far - 287 breaches affecting nearly 21.9 million individuals - were reported as hacking/IT incidents.
In fact, all of the 10 largest health data breaches added so far this year were reported as hacking/IT incidents. Of those, at least eight have been reported as involving ransomware and/or data exfiltration.
The second most frequently reported type of breach in 2022 is "unauthorized access/disclosure" incidents. There were about 54 of those incidents, affecting a mere 281,000 individuals.
10 Largest Health Data Breaches in 2022, So Far
Breached Entity | Individuals Affected |
---|---|
Shields Health Care Group* | 2 million |
Professional Finance Company* | 1.9 million |
Broward Health* | 1.35 million |
Texas Tech University Health | 1.3 million |
Baptist Medical Center* | 1.2 million |
Partnership HealthPlan of California* | 855,000 |
MCG Health* | 793,000 |
Yuma Regional Medical Center* | 737,500 |
Morley Companies* | 521,000 |
Adaptive Health Integrations | 510,600 |
Source: U.S. Department of Health and Human Services
Vendor Breaches
Business associates that handle protected health information on behalf of their covered entity clients have been at the center of at least 136 breaches affecting 9.87 million individuals.
That means vendors business associates were involved in about half of all major health data breaches - 47% of the major HIPAA breaches reported capturing 45% of all individuals affected.
Of the 10 largest HIPAA breaches posted on the HHS site so far in 2022, at least four were reported as involving business associates.
That includes the two largest breaches so far this year - a data exfiltration incident reported by medical imaging services provider Shields Health Care Group that affected 2 million individuals, and a ransomware incident involving accounts receivables services firm Professional Finance Company, that affected 1.9 million people and hundreds of covered entity clients.
Also among the top 10 largest breaches is a hacking incident affecting nearly 1.3 million individuals reported by Texas Tech University Health Sciences.
Texas Tech is among a growing list of several dozen covered entities affected by a data deletion incident disclosed earlier this year involving cloud-based electronic health records vendor Eye Care Leaders.
Disturbing Trends
The growing trend of record loss due to third parties is unsurprising, given the preference of ransomware operators not to attract too much unwanted attention by directly disrupting medical care, says Michael Hamilton, CISO of security firm Critical Insight.
For cybercriminals, "records theft is safer, is highly monetizable, and doesn’t draw the fire of the federal government," says Hamilton, the former CISO of the city of Seattle.
Also fueling health data breach trends is the attractive nature of patient information, says Jim Van Dyke, senior vice president of innovation at Sontiq, a TransUnion company.
Patient data can often be used for a wider variety of identity crimes than data sourced from entities outside the healthcare sector, he says.
"Health sector firms simply need to operate with a broader array of consumer data - spanning personally identifiable information, PHI and financial or payment account data - than financial sector, government or commerce sector entities, and in turn this makes them more likely to be the target of hackers."
Making matters worse, many business associates in the healthcare sector are smaller companies that do not make sufficient investments into security to protect the sensitive patient information they handle, Hamilton says.
"I think what we’re seeing is a changing 'go-to-market strategy' for many ransomware and other extortion operations."
Addressing Weaknesses
Nicholas Heesters, HHS OCR senior adviser for cybersecurity, during a presentation at Information Security Media Group's annual healthcare security summit in New York City this week, told attendees that the volume of breaches being reported to the agency is steadily growing each year.
Currently, ransomware-related incidents are among the leading types of hacking IT incidents being reported to HHS OCR, he adds.
HHS OCR's investigations into these and other breaches continue to find that many healthcare sector entities are notably still lacking multifactor authentication, he says.
Many covered entities and business associates are still often found to be deficient in conducting and documenting comprehensive enterprise security risk analysis, which potentially could have helped the organizations identify areas of weakness to be mitigated prior to suffering massive breach incidents, he says.
Hamilton offers a similar assessment based on what he sees.
"Looking at the two main initial access vectors for hacking incidents, it is people falling victim to phishing and giving up passwords and unpatched internet-facing vulnerabilities that are exploited," he says.
"Given that reality, vulnerability management and user training become critically important. Additionally, a policy of personal use on personal devices will insulate covered entity systems from unfiltered messaging systems, such as personal email, social media, etc."