Healthcare Data Privacy

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security.

Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets.

The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked sector with 194 reported incidents, followed by information with 180 data breaches.

The report shows there have been significant shifts in data breach trends in 2021. While data breaches have declined globally and have remained fairly constant in the United States, there has been a marked increase in ransomware attacks. Risk Based Security recorded 352 ransomware attacks in the first 6 months of 2021 and, if that pace continues, the number of attacks will be significantly higher than 2020.

Ransomware attacks are extremely costly in healthcare due to the long period of downtime, and without access to medical records patient safety is put at risk. This is of course known to ransomware gangs. The reliance on access to data and the high cost of downtime increases the probability of the ransom being paid.

In 2020, data breaches started to take longer to be reported and that trend has continued in 2021. This is in part due to the increase in ransomware attacks, which can take longer to investigate, but even taking that into account there were many cases when breach notifications took an unusually long time to be issued and that has started to attract attention from regulators.

“Ransomware attacks continue at an alarming pace, inflicting serious damage on the victim organizations that rely on their services,” said Inga Goddijn, Executive Vice President at Risk Based Security. “The slow pace of reporting brought on by lengthy incident investigations has not improved and attackers continue to find new opportunities to take advantage of changing circumstances.”

The majority of reported breaches (67.97%) were hacking incidents, with only 100 (5.66%) due to viruses, and just 45 email incidents (2.55%). There were 76 web breaches reported (4.30%); however, they resulted in the highest number of records being breached.

Data breaches that exposed access credentials such as email addresses and passwords have remained consistent with other years, with email addresses exposed in 40% of breaches and passwords in 33%. The majority of reported breaches in 2021 were the result of external threat actors (78.66%), with 13.75% caused by insiders. Out of the confirmed insider breaches, the majority were accidental (58.85%), with 18.52% caused by malicious insiders.

Risk Based Security also notes that breach severity is increasing. Large numbers of data breaches have been reported in 2021 that involved sensitive data, which is a particularly worrying trend.

The post Healthcare Industry has Highest Number of Reported Data Breaches in 2021 appeared first on HIPAA Journal.

Report: The State of Privacy and Security in Healthcare

2020 was a particularly bad year for the healthcare industry with record numbers of data breaches reported. Ransomware was a major threat, with Emsisoft identifying 560 ransomware attacks on healthcare providers in 2020. Those attacks cost the healthcare industry dearly. $20.8 billion was lost in downtime in 2020, according to Comparitech, which is more than twice the ransomware downtime cost to the healthcare industry in 2019.

With the healthcare industry facing such high numbers of cyberattacks, the risk of a security breach is considerable, yet many healthcare organizations are still not fully conforming with the NIST Cybersecurity Framework (NIST CSF) and the HIPAA Security Rule, according to the 2021 Annual State of Healthcare Privacy and Security Report published today by healthcare cybersecurity consulting firm CynergisTek.

To compile the reportThe State of Healthcare Privacy and Security – Maturity Paradox: New World, New Threats, New Focus – CynergisTek used annual risk assessments at 100 healthcare organizations and measured progress alongside overall NIST CSF conformance. 75% of healthcare organizations improved overall NIST conformance in 2020; however, 64% of healthcare organizations fell short of the 80% NIST conformance level considered to be the passing grade. Most of the improvements made in 2020 were only small.

As the graph below shows, 53 healthcare organizations improved NIST conformance year over year, 32 of those were considerably below the 80th percentile and 17 healthcare organizations saw NIST conformance decline year-over- year.

Year-over-Year Improvements in NIST CSF Conformance. Source: CynergisTek State of Healthcare Privacy and Security Report.

In order to improve resilience to ransomware and other cyberattacks, it is essential for healthcare organizations to improve their security posture. It will not be possible to stay one step ahead of threat actors if organizations do not take steps to improve NIST CSF and HIPAA Security Rule conformance.

While good conformance scores are a good indication of security posture, they do not necessarily reflect the extent to which healthcare organizations have reduced risk. For this year’s report, CynergisTek placed less emphasis on conformance scores and assessed the measures healthcare organizations had taken to identify which core functions of the NIST CSF appeared to be really driving long term security improvements, with the goal of identifying the best opportunities for both short- and long-term success.

The Identity function provides the foundation on which the rest of the core functions are based, but 73% of healthcare organizations were rated low performers in this function. Asset management and supply chain risk management were two of the key areas that need to be addressed. The healthcare supply chain is a universal issue and the weak link in healthcare. Many healthcare organizations struggle to validate whether or not third-party vendors meet specific security requirements. 76% of healthcare organizations failed to secure their supply chains.

The Protect function requires safeguards to be implemented to protect critical infrastructure and data. One of the main areas where organizations were falling short is protection of data using encryption. “An organization’s default for storing protected data of any kind and transmitting it should include encryption – it clearly does not”, explained CynergisTek. High performers achieved 90% conformance for protection of data at rest, whereas the rest of the sector was in the low 30th percentile.

In the Detect function, there was a major difference between high and low performers, but overall there were good levels of implementation; however, to be considered a high performer it is necessary to get the detect function substantially implemented and to ensure there is significant automation of security monitoring.

The Respond function concerns an organization’s ability to quickly implement appropriate activities when a cybersecurity event is detected, and this is an area where significant improvements need to be made. Only the highest performers are actively investigating notifications from detection systems, and only high performers were consistently and substantially mitigating incidents.

The recover function identifies activities required to return to normal operations after a cybersecurity incident. While there were gaps among the high performers, conformance was generally very good, but significant improvements need to be made by low performers. Around two-thirds (66%) of healthcare organizations are underperforming in recovery planning.

CynergisTek identified several aspects of security that healthcare organizations need to focus on over the coming 12 months:

  • Improve automation of security functions
  • Validate technical controls for people and processes
  • Perform exercises and drills at the enterprise level to test all components of the business
  • Secure the supply chain
  • Look beyond the requirements of the HIPAA Rules and further enhance privacy and security measures

The researchers found notable improvements had been made in organizations’ HIPAA privacy programs in 2020, with some healthcare organizations making exceptional progress. However, there is still room for improvement. CynergisTek identified several privacy areas that should be focused on in 2021.

These measures include implementing user access monitoring tools and engaging in proactive rather than reactive monitoring, addressing defective HIPAA authorizations, preventing violations of the Minimum Necessary Rule by defining criteria to limit PHI disclosure, updating insufficient privacy policies and procedures and ensuring the new policies are implemented, and addressing inappropriate Hybrid Entity designations.

The post Report: The State of Privacy and Security in Healthcare appeared first on HIPAA Journal.

June 2021 Healthcare Data Breach Report

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year.

United States healthcare data breaches in the past 12 months

While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June.

records Exposed in U.S. healthcare data breaches in the past 12 months

More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month.

Largest Healthcare Data Breaches in June 2021

There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare organizations, with 6 of the top 10 breaches confirmed as ransomware attacks. Several healthcare organizations reported ransomware attacks in June that occurred at third-party vendors, with the number of healthcare providers confirmed as being affected by the ransomware attacks on vendors Elekta, Netgain Technologies, and CaptureRx continuing to grow.

The largest healthcare data breach to be reported in June was a phishing attack on the medical payment billing service provider MultiPlan. A threat actor gained access to an email account containing the protected health information of 214,956 individuals.

Northwestern Memorial HealthCare and Renown Health were affected by the ransomware attack on the Swedish radiation therapy and radiosurgery solution provider Elekta Inc., That attack is known to have affected a total of 42 healthcare providers in the United States.

Name of Covered Entity Covered Entity Type Individuals Affected Breach Cause Business Associate Involvement
MultiPlan Business Associate 214,956 Phishing attack Yes
Northwestern Memorial HealthCare Healthcare Provider 201,197 Elekta ransomware attack Yes
Scripps Health Healthcare Provider 147,267 Ransomware attack No
San Juan Regional Medical Center Healthcare Provider 68,792 Unspecified hacking and data exfiltration incident No
Renown Health Healthcare Provider 65,181 Elekta ransomware attack Yes
Minnesota Community Care Healthcare Provider 64,855 Netgain ransomware attack Yes
Francisco J. Pabalan MD, INC Healthcare Provider 50,000 Hacking/IT Incident (Unknown) No
Prominence Health Plan Health Plan 45,000 Ransomware attack No
NYC Health + Hospitals Healthcare Provider 43,727 CaptureRx ransomware attack Yes
UofL Health, Inc. Healthcare Provider 42,465 Misdirected email No
Peoples Community Health Clinic Healthcare Provider 40,084 Phishing attack No
Reproductive Biology Associates, LLC and its affiliate My Egg Bank, LLC Healthcare Provider 38,000 Ransomware attack No
Hawaii Independent Physicians Association Business Associate 18,770 Phishing attack Yes
UW Medicine Healthcare Provider 18,389 Hacking/IT Incident (Unknown) Yes
Cancer Care Center Healthcare Provider 18,000 Hacking/IT Incident (Unknown) Yes
Temple University Hospital, Inc. Healthcare Provider 16,356 Hacking/IT Incident (Unknown) Yes
Walmart Inc. Healthcare Provider 14,532 Loss of paper/films No
Discovery Practice Management, Inc. Business Associate 13,611 Phishing attack Yes
Jawonio Healthcare Provider 13,313 Phishing attack No

Causes of June 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in June 2021, with ransomware attacks accounting for a large percentage of those breaches. There were 58 reported hacking/IT incidents, in which the protected health information of 1,190,867 individuals was exposed or compromised – 92.24% of all breached records in June. The mean breach size was 20,532 records and the median breach size was 2,938 records.

Causes of June 2021 Healthcare data breaches

There were 9 unauthorized access/disclosure incidents reported that involved the impermissible disclosure of the PHI of 81,764 individuals. The mean breach size was 9,085 records and the median breach size was 5,509 records.

There was one incident reported involving the loss of paperwork containing the PHI of 14,532 individuals, one portable electronic device theft affecting 1,166 patients, and 1 incident involving the improper disposal of 2,662 physical records.

42 hacking incidents involved PHI stored on network servers, most of which were data access and exfiltration incidents involving ransomware. There were 19 email security breaches involving PHI stored in email accounts, most of which were phishing incidents.

Location of breached PHI in June 2021 data breaches

Covered Entities Reporting Data Breaches in June

The breach reports show healthcare providers were the worst affected covered entity type with 53 data breaches. 9 breaches were reported by health plans, and 8 by business associates of HIPAA covered entities. HIPAA-covered entities often report breaches at third party vendors, which can mask the extent to which business associates are being targeted by hackers. Adjusted figures taking this into account show the extent to which business associates are suffering data breaches. There were 36 data breaches reported that involved business associates, as shown in the pie chart below.

June 2021 healthcare data breaches by covered entity type

June 2021 Healthcare Data Breaches by State

There were large healthcare data breaches reported by HIPAA covered entities and business associates based in 32 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State No. Data Breaches
California 8
New York 6
Illinois, Pennsylvania, Washington 4
Georgia, New Jersey, Ohio, Oregon, Texas 3
Arkansas, Kentucky, Michigan, Mississippi, Nevada, Tennessee, Wisconsin 2
Alaska, Arizona, Colorado, Connecticut, Florida, Hawaii, Iowa, Maryland, Massachusetts, Minnesota, Montana, New Mexico, Oklahoma, Rhode Island, South Carolina 1

HIPAA Enforcement Activity in June 2021

The HHS’ Office for Civil Rights announced one HIPAA enforcement action in June under its HIPAA Right of Access enforcement initiative. The Diabetes, Endocrinology & Lipidology Center, Inc. in Martinsburg, West Virginia was ordered to pay a financial penalty of $5,000 to resolve its HIPAA Right of Access case and agreed to adopt a robust corrective action plan to ensure that patients will be provided with timely access to their medical records. There were no confirmed HIPAA enforcement actions by state Attorneys General in June.

The post June 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies

A Kaseya KSA supply chain attack has affected dozens of its managed service provider (MSP) clients and saw REvil ransomware pushed out to MSPs and their customers. Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The software is used to provide services to more than 40,000 organizations worldwide.

The REvil ransomware gang gained access to Kaseya’s systems, compromised the Kaseya’s VSA remote monitoring and management tool, and used the software update feature to install ransomware. The Kaseya VSA tool is used by MSPs to monitor and manage their infrastructure.

It is not clear when the ransomware gang gained access to Kaseya’s systems, but ransomware was pushed out to customers when the software updated on Friday July 2. The attack was timed to coincide with the July 4th holiday weekend in the United States, when staffing levels were much lower and there was less chance of the attack being detected and blocked before the ransomware payload was deployed.

Fast Response Limited Extent of the Attack

The fast response of Kaseya limited the extent of the attack. Over the weekend, Kaseya’s chief executive, Fred Voccola, said the software update was pushed out to around 40 customers and only affected on-premise customers who were running their own data centers and that its cloud-based services were not affected. The number of affected customers is now thought to be closer to 60.

Many of the victims were MSPs. In addition to their systems being encrypted, ransomware code was pushed out to their clients. More than 1,000 MSP clients are known to have been affected and had REvil ransomware installed. Sophos has reported that it is aware of 70 MSPs that have been affected, along with around 350 companies that use their services.

Kaseya has been issuing regular updates since the attack. In a Sunday morning update, Kaseya said there had been no further compromises since the Saturday evening report which suggests the measures implemented following the discovery of the attack have been successful. While no further ransomware attacks are believed to be occurring, the victim count will undoubtedly grow over the coming days.

When the attack was detected, Kaseya shut down its hosted and SaaS VSA servers and told all customers to switch off their own VSA servers while the attack was mitigated. Customers have been told to keep the servers switched off until further notice. Kaseya is working closely with CISA, the FBI, and cybersecurity forensics firms to investigate the incident and to determine the extent of the attack.

“Our security, support R&D, communications, and customer teams continue to work around the clock in all geographies through the weekend to resolve the issue and restore our customers to service,” said Kaseya in a July 4, 2021, statement about the attack. “We are in the process of formulating a staged return to service of our SaaS server farms with restricted functionality and a higher security posture (estimated in the next 24–48 hours but that is subject to change) on a geographic basis. More details on both the limitations, security posture changes, and time frame will be in the next communique later today.”

Supply chain attacks such as this can have a huge impact globally. Attackers compromise one company, then gain access to the networks of thousands of others, as was the case with the SolarWinds Orion supply chain attack in 2020. In that attack, malware was distributed through the software update mechanism which gave the attackers access to the systems of around 18,000 companies that received the update.

Kaseya Was Developing Patches for the Exploited Vulnerabilities

The REvil ransomware gang gained access to Kaseya’s systems by exploiting recently discovered vulnerabilities that had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD). Those vulnerabilities had not been publicly disclosed and Kaseya was in the process of developing patches to correct the vulnerabilities when the REvil gang struck.

“Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch,” said Victor Gevers, chairman of DIVD.

Kaseya said patches are being developed to correct the flaws and will be released as soon as possible.

One of the Largest Ransomware Attacks to Date

The REvil gang is believed to operate out of Eastern Europe or Russia and is one of the most prolific ransomware-as-a-service operations. Recent attacks conducted by the gang include JBS Foods, computer giant Acer, Pan-Asian retail giant Dairy Farm, UK clothing company French Connection (FCUK), French pharmaceutical company Pierre Fabre, and Brazilian healthcare company Grupo Fleury to name but a few. The latest attack is one of the largest ransomware attacks ever seen.

The gang is known to exfiltrate data prior to file encryption and demands payment of a ransom for the keys to decrypt encrypted files and to prevent the exposure or sale of data stolen in the attack. It is currently unclear if these attacks involved data theft.

Businesses and organizations affected by the latest attack have been issued with ransom demands ranging from $50,000 to $5 million according to Sophos malware analyst Mark Loman and Emsisoft CTO Fabian Wosar. The REvil gang has asked for a payment of $70 million to supply a universal decryptor that will unlock all systems that have been encrypted in the attack.

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,” wrote the gang on its data leak site.

“We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links - they may be weaponized,” said Kaseya.

President Biden Orders Federal Investigation

After learning of the attack, U.S. President Joe Biden ordered federal intelligence agencies to investigate the incident, stating on Saturday that it was unclear who was responsible for the attack. President Biden spoke with Vladamir Putin at the June 16 Geneva summit and urged him to crack down on cybercriminal gangs operating out of Russia and warned of consequences should the ransomware attacks continue. “The initial thinking was it was not the Russian government but we’re not sure yet,” President Biden told reporters on a Saturday visit to Michigan. He also confirmed the U.S. would respond if it is determined Russia was to blame for the attack.

CISA Issues Guidance for MSPs and MSP Customers Affected by the Kaseya VSA Supply Chain Attack

Kaseya issued a Compromise Detection Tool on July 3, 2021, which was rolled out to around 900 customers. The tool can be used to quickly determine if a customer’s VSA server has been compromised in the attack. The U.S. Cybersecurity and Infrastructure Security Agency is urging all Kaseya MSP customers to download and run the Compromise Detection Tool as soon as possible.

Kaseya MSP customers have also been advised to enable and enforce multi-factor authentication on every single account and, as far as is possible, to enable and enforce MFA for customer-facing services.

CISA also says MSPs should “implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.”

MSP customers affected by the attack have been advised to implement cybersecurity best practices, especially MSP customers who do not currently have their RMM service running due to the Kaseya attack. CISA recommends the following measures:

  • Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
  • Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
  • Implement:
    • Multi-factor authentication; and
    • Principle of least privilege on key network resources admin accounts.

The post Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies appeared first on HIPAA Journal.

CISA Publishes Catalog of Cybersecurity Bad Practices That Must Be Eradicated

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has published a new resource that lists cybersecurity bad practices that are exceptionally dangerous and significantly increase risk to critical infrastructure.

There are many published resources that provide information about cybersecurity best practices that should be adopted to improve security, but CISA felt an additional perspective was required as it is equally, if not more, important to ensure that bad cybersecurity practices are eliminated. “Ending the most egregious risks requires organizations to make a concerted effort to stop bad practices,” explained CISA.

CISA is urging leaders of all organizations to engage in urgent conversations to address technology bad practices, especially organizations that support national critical functions.

One of the foundational elements of risk management is “focus on the critical few”, explained CISA Executive Assistant Director Eric Goldstein in a blog post announcing the launch of the new website resource. Organizations may have limited resources to identify and mitigate risks, but eliminating cybersecurity bad practices is an essential element of every organization’s strategic approach to security. “Addressing bad practices is not a substitute for implementing best practices, but it provides a rubric for prioritization and a helpful answer to the question of ‘what to do first’,” said Goldstein.

The new resource was created following cyberattacks on critical infrastructure which demonstrated the impact they can have on critical government functions and how they pose a threat to security, national economic security, and/or national public health and safety.

The CISA Bad Practices catalog will grow over time, but currently lists two cybersecurity bad practices that are exceptionally risky: The use of unsupported software that has reached end-of-life and the continued use of known, fixed, and default passwords and credentials in service of Critical Infrastructure and National Critical Functions.

The post CISA Publishes Catalog of Cybersecurity Bad Practices That Must Be Eradicated appeared first on HIPAA Journal.

Webinar Today July 8, 2021: All Your HIPAA Questions Answered

In recent years, the Department of Health and Human Services’ Office for Civil Rights has issued guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules and how they apply in certain situations. Even with this guidance, there is still considerable confusion around HIPAA and how the HIPAA Privacy, Security, and Breach Notification Rules and the Omnibus Rule HIPAA updates apply to covered entities and their business associates.

All HIPAA covered entities and business associates must ensure they are compliant with all appropriate provisions of the HIPAA Rules and there are severe penalties for noncompliance. Over the past few years, OCR has stepped up enforcement and regularly imposes financial penalties on covered entities and business associates that are discovered not to have complied with the provisions of HIPAA.

OCR investigates breaches of protected health information, and they are now being reported at record rates. In 2010, the first full year after OCR started publishing summaries of healthcare data breaches on its website, there were 199 reported healthcare data breaches of 500 or more records. In 2020, there were 642 reported breaches… a rise of 222%. The first half of 2021 has just come to an end and there have already been 327 reported breaches this year. There is now a much greater chance of HIPAA violations being discovered. HIPAA compliance has never been more important.

HIPAA Journal regularly receives questions about HIPAA compliance and how the HIPAA Rules apply in certain situations. To help clear up confusion, HIPAA Journal has partnered with Compliancy Group, a leader in the compliance space that educates healthcare providers and their business associates and helps them become and remain HIPAA compliant.

On Thursday, July 8, 2021, you will have an opportunity to have your questions about HIPAA compliance answered in an interactive webinar.

Webinar Today: Thursday July 8, 2021: All Your HIPAA Questions Answered

| 2:00 p.m. ET | 1:00 p.m. CT | 12:00 p.m. MT |11:00 a.m. PT |

“Our goal is to help eliminate any HIPAA stress or concerns you may have. Get quick responses to your questions and gain confidence in compliance today.”

Use the form below to register for the webinar.

The post Webinar Today July 8, 2021: All Your HIPAA Questions Answered appeared first on HIPAA Journal.

1 Billion-Record Database of Searches of CVS Website Exposed Online

A database belonging to CVS Pharmacy that included approximately 1 billion search records has been exposed online. The database included information about searches performed by visitors to and, typically for information about medications an COVID-19 vaccines.

It is common for databases such as these to be maintained by companies. The search information can be used for analytics, customer management, marketing, and other purposes to improve the services provided to customers. These searches can sometimes be tied to an individual by their IP address, or in this case by the searcher’s email address.

The colossal database was discovered by security researcher Jeremiah Fowler. Fowler found that the email addresses of some visitors to the websites was also included in the database. Due to the size of the database, it was not possible to perform searches of all data but searching a sample of data in the database confirmed many email addresses were present. It is not clear why email addresses were recorded. Fowler suggests it could have been people mistakenly attempting to login using the search field.

Fowler did not download the full database, so was unable to determine how many email addresses were present in the database. It is also unclear if Fowler was the first to discover the database and whether any other individuals may have viewed or even downloaded the database while it was accessible.

According to Fowler, the database had been exposed online due to a misconfiguration issue. Fowler contacted CVS to alert them to the exposed database and it was quickly secured. “We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personal information of our customers, members or patients. We worked with the vendor to quickly take the database down,” explained CVS in a statement issued to Forbes. “We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.”

The post 1 Billion-Record Database of Searches of CVS Website Exposed Online appeared first on HIPAA Journal.

May 2021 Healthcare Data Breach Report

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67.

U.S. Healthcare Data Breaches - Past 12 Months

May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months.

U.S. Healthcare Data Breaches - Records Breached in the Past 12 Months

Largest Healthcare Data Breaches Reported in April 2021

As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by other means.

The largest healthcare data breach of the month by some distance affected 20/20 Eye Care Network, a vision and hearing benefits administrator. The records of more than 3.25 million individuals were stored in an AWS S3 bucket that was accessed by an unauthorized individual. Data was downloaded by the attacker before being deleted. Another benefits administrator, SEIU 775 Benefits Group, also suffered a breach in which sensitive data was deleted. That breach involved the PHI of 140,000 individuals.

Over the past two months, several healthcare providers have announced they were affected by a ransomware attack on the third-party administration service provider CaptureRx. At least 26 healthcare providers are known to have had PHI exposed in that breach. This month, CaptureRx issued its own notification to the HSS which confirms the breach affected 1,656,569 individuals. This month, several healthcare organizations have reported they have been affected by a ransomware attack on another business associate, Netgain Technologies. The table below shows the extent to which ransomware has been used in attacks on the healthcare industry.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Involvement
20/20 Eye Care Network, Inc Business Associate 3,253,822 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
NEC Networks, LLC d/b/a CaptureRx Business Associate 1,656,569 Hacking/IT Incident Ransomware attack Yes
Orthopedic Associates of Dutchess County Healthcare Provider 331,376 Hacking/IT Incident Ransomware attack No
Rehoboth McKinley Christian Health Care Services Healthcare Provider 207,195 Hacking/IT Incident Ransomware attack No
Five Rivers Health Centers Healthcare Provider 155,748 Hacking/IT Incident Phishing attack No
SEIU 775 Benefits Group Business Associate 140,000 Hacking/IT Incident Unspecified hacking incident Yes
San Diego Family Care Healthcare Provider 125,500 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Hoboken Radiology LLC Healthcare Provider 80,000 Hacking/IT Incident Hacked medical imaging server No
CareSouth Carolina, Inc. Healthcare Provider 76,035 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Arizona Asthma and Allergy Institute Healthcare Provider 70,372 Hacking/IT Incident Ransomware attack No
New England Dermatology, P.C. Healthcare Provider 58,106 Improper Disposal Improper disposal of specimen bottles No
Sturdy Memorial Hospital Healthcare Provider 57,379 Hacking/IT Incident Ransomware attack No
LogicGate Business Associate 47,035 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
Lafourche Medical Group Healthcare Provider 34,862 Hacking/IT Incident Phishing attack No
Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group Healthcare Provider 34,203 Hacking/IT Incident Ransomware attack No
SAC Health Systems Healthcare Provider 28,128 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Monadnock Community Hospital Healthcare Provider 14,340 Hacking/IT Incident Unspecified hacking incident Yes
Community Access Unlimited Business Associate 13,813 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Westwood Obstetrics and Gynecology Healthcare Provider 12,931 Hacking/IT Incident Unspecified hacking incident Yes

Causes of May 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in May. Out of the 63 reported breaches, 47 (74.60%) were hacking/IT incidents. These incidents resulted in the exposure or theft of 6,432,367 healthcare records – 98.43% of all records breached in the month. The average breach size was 131,273 records and the median breach size was 4,250 records.

There were 9 reported unauthorized access/disclosure incidents involving the records of 17,834 individuals. The average breach size was 1,982 records and the median breach size was 1,562 records. There were 3 loss/theft incidents reported involving the 20,325 records and two incidents involving the improper disposal of protected health information affecting 64,604 individuals.

May 2021 U.S. Healthcare Data Breaches - Causes

While phishing incidents have plagued the healthcare industry over the past few years, it is now network server incidents that dominate the breach reports. 41 of the month’s breaches involved compromised network servers, compared to just 9 incidents involving email.

May 2021 U.S. Healthcare Data Breaches- location of breached PHI

May 2021 Healthcare Data Breaches by Covered Entity Type

47 healthcare providers reported data breaches in May 2021, although only 20 of those incidents were breaches directly involving the healthcare provider. 27 of those breaches were reported by the healthcare provider but occurred at a business associate.

7 data breaches were reported to the HHS’ Office for Civil Rights by business associates of HIPAA-covered entities, although in total, the business associate was present in 31 of the month’s breaches.

8 breaches affected health plans, 4 of which had some business associate involvement, and one breach was reported by a healthcare clearinghouse.

May 2021 healthcare data breaches by covered entity type

States Affected by Healthcare Data Breaches

Healthcare data breaches were reported by HIPAA-covered entities and business associates based in 32 U.S. states.

State No. Reported Data Breaches
Texas 6
New York & Ohio 5
California, Illinois, West Virginia 4
Mississippi & Missouri 3
Florida, Maryland, Massachusetts, New Jersey, & Oklahoma 2
Arizona, Arkansas, Connecticut, Delaware, Georgia, Indiana, Louisiana, Maine, Minnesota, North Carolina, Nevada, New Hampshire, New Mexico, Pennsylvania, Rhode Island, South Carolina, Tennessee, Washington, and Wisconsin 1

HIPAA Enforcement in May 2021

There was one HIPAA enforcement action announced by the HHS’ Office for Civil Rights in May, bringing the total up to 8 for 2021. Most of the settlements announced so far in 2021 have resolved violations of the HIPAA Right of access; however, May’s settlement was for multiple violations of the HIPAA Security Rule.

Most financial penalties stem from an OCR investigation into a data breach or complaint from a patient. May’s financial penalty was atypical, as it was the result of a compliance investigation. OCR had investigated a data breach reported by the Department of Veteran Affairs involving its business associate Authentidate Holding Corporation (AHC).

That investigation was resolved without financial penalty; however, during the investigation OCR learned that AHC had entered into a reverse merger with Peachstate Health Management, LLC, a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR decided to conduct a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance and discovered multiple violations of the HIPAA Security Rule. OCR discovered potential violations related to risk assessments, risk management, audit controls, and a lack of documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000.

The post May 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Ransomware Gangs Adopt Triple Extortion Tactics

Following on from the DarkSide ransomware attack on Colonial Pipeline, several ransomware threat actors have ceased activity or have implemented rules that their affiliates must follow, including banning all attacks on critical infrastructure firms, healthcare organizations, and government organizations.  Some popular hacking forums are distancing themselves from ransomware and have banned ransomware groups from advertising their RaaS programs. However, there are many threat actors conducting attacks and not all are curbing their activities. It remains to be seen whether there will be any reduction in attacks, even in the short term.

So far in 2021, attacks have been occurring at record levels, with the healthcare and utility sectors the most targeted. An analysis of attacks by Check Point Research found that since the start of April 2021, ransomware attacks have been occurring at a rate of around 1,000 per week, with a 21% increase in impacted organizations in the first trimester of 2021 and 7% more in April.

The number of attacked organizations is up 102% from the corresponding period in 2020 and in April 2021, an average of 109 ransomware attacks were reported by healthcare organizations every week, with 59 attacks per week on the utilities sector and 34 in legal/insurance. Ransom payments have also increased and are up 171% from the same time last year, with the average payment now $310,000.

Since early 2020, ransomware threat groups have been using double extortion tactics to increase the probability of victims paying the ransom. Instead of simply encrypting files and demanding payment for the keys to decrypt data, prior to data encryption, the attackers exfiltrate any sensitive data they can find. Threats are then issued to publish the data if payment is not made.

Now, a new tactic has been detected by researchers at Check Point – triple extortion attacks. As with the double extortion tactics of breaching a healthcare network, exfiltrating data, and demanding a ransom for the keys to decrypt files and prevent the sale or publication of stolen data on leak sites, some threat groups are also targeting individuals whose data has been stolen. They too are issued with a ransom demand to prevent their personal and health data from being sold or put in the public domain.

This tactic has been observed since late 2020 and has continued to gain traction in 2021, with the first known case affecting the Vastaamo Clinic in Finland in October 2020. In that case, the attackers stole large amounts of data and issued ransom demands to the clinic and patients, with the latter including a threat to publish their psychotherapy notes if they failed to pay to prevent the data leak.

While the REvil ransomware operation did not issue demands for payment from individuals, their tactics have included contacting individuals by telephone to alert them to the attack to pile on the pressure on the breached entity to pay up.

“We can only assume that creative thinking and a wise analysis of the complex scenario of double extortion ransomware attacks have led to the development of the third extortion technique,” explained Check Point Research. “Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced, and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly… Such victims are a natural target for extortion, and might be on the ransomware groups’ radar from now on.”

The post Ransomware Gangs Adopt Triple Extortion Tactics appeared first on HIPAA Journal.