Health Data Breach Tally Update: What's Been Added?Business Associate Reports Ransomware Attack; Hacks Still Biggest Cause of Breaches
A ransomware attack reported by a business associate that impacted more than three dozen clients and nearly 207,000 individuals is among the latest incidents added to the Department of Health and Human Services' HIPAA Breach Reporting Tool.
The health data breach tally shows that nine of the 10 largest breaches posted so far this year involved hacking/IT incidents.
Of the 142 major breaches affecting nearly 4.25 million individuals that have been added to the tally so far in 2019, 89 were reported as hacking/IT incidents. Those incidents affected about 3.8 million individuals - or nearly 90 percent of all those affected.
Largest Health Data Breaches Reported in 2019
|Breached Entity||Individuals Affected|
|Columbia Surgical Specialist of Spokane||400,000|
|ZOLL Services LLC||277,000|
|Doctors Management Services||207,000|
|Centrelake Medical Group||198,000|
|Centerstone Insurance and Financial Services (d/b/a BenefitMall)||116,000|
|Las Colinas Orthopedic Surgery & Sports Medicine||76,000|
|Rutland Regional Medical Center||72,000|
Commonly called the "wall of shame," the HHS Office for Civil Rights website lists health data breaches impacting 500 or more individuals since September 2009, when the HIPAA Breach Notification Rule took effect.
As of Thursday, the cumulative tally lists 2,698 major health data breaches affecting a total of nearly 195.4 million individuals.
Ransomware Attack on BA
One of the largest breaches added to the tally in recent weeks was reported on April 22 by Doctors Management Services, a West Bridgewater, Massachusetts-based medical billing services firm.
In a breach notification statement, Doctors Management Services says the incident, which involved a GandCrab ransomware attack, affected 38 of its HIPAA covered entity clients.
DMS says it first noticed technical issues with its computer network on Dec. 24, 2018, but its investigation found that initial unauthorized access to its network took place on April 1, 2017, through remote desktop protocol on a workstation. DMS says it was able to recover from the ransomware attack through using backups and did not pay a ransom.
"Because the ransomware deployed on Christmas Eve day, and DMS was able to restore its data from its backups on the day after Christmas,the effect on clients was minimal if any," says Tim DiBona, CEO of DMS in a statement to Information Security Media Group.
The initial malware penetration was intentionally designed to avoid detection and bypassed the then existing security controls in place at DMS, DiBona says.
"Since discovering the breach, we have changed our network security system to limit access to our systems from outside of our network and to improve our network security," DMS says.
DMS is offering credit monitoring to individuals whose Social Security number or driver's license number may have been impacted by this incident, DiBona says.
The DMS incident offers a reminder that "all organizations should ensure they have offline or otherwise protected backups sufficient for recovery from ransomware attacks," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
As shown in the DMS hacking incident, delayed detection of breaches is an ongoing challenge.
"On average, a hacker is in a system or network for 204 days before being detected," says Tom Walsh, president of consulting firm tw-Security.
To speed up detection, entities should practice "careful correlation and monitoring of audit logs using a security information and event management system to detect abnormal user behavior," he says. "Most smaller organizations should consider outsourcing that to a managed service to avoid capital expenditures and the advanced internal training necessary to interpret the log findings."
Harold Byun, vice president of products at data protection vendor Baffle, offers a similar assessment.
"Visibility and monitoring are critical to have in place for organizations to detect activity in a timely manner," Byun says. "Many of the largest breaches have gone undetected for months on end, and the industry metrics on detection rates have improved some, but are still woefully long. Organizations also need to shift their posture to one where they assume they are already breached and operate from there."
Entities also need to stay vigilant about protecting common areas of vulnerability that can lead to compromise. "Since the old model of private networks as castles protected by moats and only accessible over a controlled drawbridge is a distant memory, organizations must be vigorously diligent about identifying and securing remote entry points such as through RDP," Borten notes.
Hacking attacks are likely to continue to be the No. 1 cause of health data breaches, security expert say.
"Hacking, especially ransomware, is a lucrative business. It has low startup and operating costs, low likelihood of being caught and prosecuted, and a high return on investment," Walsh says. "Hacking is conducted by nation-states, organized crime, political activists, and of course, opportunistic individuals who - in some cases - would rather do hacking that work at a real job."
Byun adds: "Most organizations are still not operating from a defensive posture ... the attackers are already in the network."
The loss or theft of devices, which used to be the most common cause of health data breaches, has become far less of a concern.
So far this year, only 11 loss/theft incidents involving unencrypted computing devices have been added to the tally. Those incidents affected a total of 139,000 individuals, or less than 4 percent of all individuals impacted by major health data breaches added to the tally.
Only one of the 10 largest breaches added to the tally so far this year stemmed from this cause. Texas-based Las Colinas Orthopedic Surgery & Sports Medicine, which operates under the name All-Star Orthopaedics, reported a breach caused by the theft of stolen unencrypted hard drive that affected 76,000 individuals.
"Encryption of user devices has become routine due to both affordable solutions and regulatory pressure," Borten notes. "However, this standard security control is not yet ubiquitous. The healthcare industry should continue to push for comprehensive encryption of all portable devices and media."
While business associates and covered entities appear to be doing a better job encrypting their mobile computing devices, such as laptops and portable storage media, that doesn't necessarily protect against all breaches involving those devices, Byun notes.
"Device encryption may protect against physical theft but does absolutely nothing against a modern day attack or hack," he says. "What's unclear in the [HHS] statistics and the reports is the method of the breach and whether the encrypted device truly countered the attack or is being used as a crutch to minimize how many breach notifications need to go out."