Healthcare Data Security

University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack

University of California San Francisco has paid a $1.14 million ransom to the operators of NetWalker ransomware to resolve an attack that saw data on servers within the School of Medicine encrypted. The attack occurred on June 1, 2020. UCSF isolated the affected servers, but not in time to prevent file encryption.

UCSF School of Medicine is engaged in research to find a cure for COVID-19 and the university is heavily involved in antibody testing. The ransomware attack did not impede the work being conducted on COVID-19, patient care delivery operations were not affected, and UCSF does not believe the attackers gained access to patient data, although some files were stolen in the attack.

The encrypted data was essential to research being conducted by the university, and since it was not possible to recover files from backups, UCSF had little option other than to negotiate with the attackers. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained,” explained UCSF.

The BBC received an anonymous tip-off about a live chat on the dark web between the negotiators and the NetWalker ransomware operators and followed the negotiations. According to the report, a sample of data stolen in the attack was posted online by the attackers, but after UCSF made contact via email the data was taken offline while the ransom was negotiated. Initially, a ransom payment of $780,000 was offered by UCSF, but the NetWalker gang demanded a payment of $3 million. A payment of 116.4 Bitcoin – $1,140,895 – was finally negotiated a day later.

The investigation into the ransomware attack indicates that neither UCSF nor the School of Medicine were targeted in the attack. “Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted,” explained UCSF on its website. UCSF reported the attack to the FBI and is assisting with the investigation.

UCSF was one of three Universities in the United States to be attacked with NetWalker ransomware in the space of a week in early June. Attacks were also conducted on Columbia College, Chicago and Michigan State University. Data stolen in the attack on Columbia College has now been removed from the NetWalker website, which suggests the college also paid the ransom.

The post University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack appeared first on HIPAA Journal.

May 2020 Healthcare Data Breach Report

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.

Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has changed little during the pandemic.

Threat activity does not appear to have dropped, so the fall in reported cyberattacks and data breaches could indicate that threat actors have taken the decision not to attack healthcare providers on the front line in the fight against COVID-19. The Maze ransomware gang publicly stated that it would not target healthcare providers during the COVID-19 pandemic, but many other ransomware gangs appear to have stepped up their attacks and are making no such concessions.

It is also possible that rather than cyberattacks and data breaches falling, covered entities and business associates have not been detecting breaches or have delayed reporting. The reason for the fall in reported breaches is likely to become clearer over the coming weeks and months and we will see if this is part of a new trend or if the drop is simply a blip.

While it is certainly good news that the number of breaches has fallen, there was a significant increase in the number of exposed and compromised healthcare records. There were 10 fewer data breaches reported in May 2020 than April, but 1,064,652 healthcare records were breached in May. That is more than twice the number of records breached in April.

Largest Healthcare Data Breaches in May 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Elkhart Emergency Physicians, Inc. IN Healthcare Provider 550,000 Improper Disposal
BJC Health System MO Business Associate 287,876 Hacking/IT Incident
Saint Francis Healthcare Partners CT Business Associate 38,529 Hacking/IT Incident
Everett & Hurite Ophthalmic Association PA Healthcare Provider 34,113 Hacking/IT Incident
Management and Network Services, LLC OH Business Associate 30,132 Hacking/IT Incident
Sanitas Dental Management FL Healthcare Provider 19,000 Loss
Mediclaim, LLC MI Business Associate 14,931 Hacking/IT Incident
Woodlawn Dental Center OH Healthcare Provider 14,419 Hacking/IT Incident
Mat-Su Surgical Associates, APC AK Healthcare Provider 13,146 Hacking/IT Incident
Mille Lacs Health System MN Healthcare Provider 10,630 Hacking/IT Incident

Causes of May 2020 Healthcare Data Breaches

The largest healthcare data breach of the month affected Elkhart Emergency Physicians, Inc. and involved the improper disposal of paper records by business associate Central Files Inc. Elkhart Emergency Physicians was one of seven Indiana healthcare providers to be affected by the breach. In total, the records of 554,876 patients were exposed as a result of that improper disposal incident. There was one other improper disposal incident reported in May, making this the joint second biggest cause of data breaches in the month. Those improper disposal incidents accounted for 52.17% of breached records in May. The mean breach size was 69,434 records and the median breach size was 938 records.

There were 8 reported unauthorized access/disclosure incidents reported, although those breaches only accounted for 2.35% of breached records in May. The mean breach size was 3,124 records and the median breach size was 3,220 records.

Hacking/IT incidents once again topped the list as the main cause of healthcare data breaches, accounting for 39.28% of the month’s breaches and 43.69% of breached records in May. The mean breach size was 42,290 records and the median breach size was 14,419 records.

There was one loss incident involving a network server that contained the records of 19,000 patients. There were no reports of theft of physical records or devices containing electronic protected health information.

The graph below shows the location of breached protected health information. For the past several months, email has been the most common location of breached PHI due to the high number of healthcare phishing attacks. The number of reported phishing attacks dropped in May, hence the lower than average number of email-related breaches. While the number of incidents fell, there was one major phishing attack reported. An attack on BJC Health System saw 3 email accounts compromised. Those accounts included emails and attachments containing the PHI of 287,876 patients.

May 2020 Healthcare Data Breaches by Covered Entity Type

In line with virtually every other month since the HITECH Act mandated the HHS’ Office for Civil Rights to start publishing summaries of data breaches on its’ Wall of Shame’, healthcare providers were hardest hit, with 21 reported data breaches. It was a good month for health plans, with only one reported breach, but a particularly bad month for business associates. 6 business associates reported data breaches in May, and a further 8 breaches involved business associates but were reported by the covered entity.

Healthcare Data Breaches by State

Data breaches were reported by covered entities and business associates in 17 states in May. Indiana was the worst affected state with 7 reported breaches of 500 or more records, all of which were due to the improper disposal of records by business associate, Central Files, Inc.

There were 3 data breaches reported in each of Michigan and Ohio, two breaches reported by healthcare providers in Pennsylvania, and one breach was reported in each of Alaska, Arizona, California, Connecticut, Florida, Georgia, Illinois, Maryland, Minnesota, Missouri, Nebraska, New York, and Texas.

HIPAA Enforcement Activity in May 2020

There were no announcements about HIPAA penalties from the HHS’ Office for Civil Rights or state attorneys general in May 2020.

The post May 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign

A phishing campaign has been identified that uses fake VPN alerts as a lure to get remote workers to divulge their Office 365 credentials.

Healthcare providers have increased their telehealth services during the COVID-19 public health emergency in an effort to help prevent the spread of COVID-19 and ensure that healthcare services can continue to be provided to patients who are self-isolating at home.

Virtual private networks (VPNs) are used to support telehealth services and provide secure access the network and patient data. Several vulnerabilities have been identified in VPNs which are being exploited by threat actors to gain access to corporate networks to steal sensitive data and deploy malware and ransomware. It is therefore essential for VPN systems to be patched promptly and for VPN clients on employee laptops to be updated. Employees may therefore be used to updating their VPN.

Researchers at Abnormal Security have identified a phishing campaign that impersonates a user’s organization and claims there is a problem with the VPN configuration that must be addressed to allow the user to continue to use the VPN to access the network.

The emails appear to have been sent by the IT Support team and include a hyperlink that must be clicked to install the update. The user is told in the email that they will be required to supply their username and password to login to perform the update.

This campaign targets specific organizations and spoofs an internal email to make it appear that the email has been sent from a trusted domain. The hyperlink has anchor text related to the user’s organization to hide the true destination URL to make it appear legitimate. If the user clicks the hyperlink in the email, they will be directed to a website with a realistic Office 365 login prompt. The phishing webpage is hosted on a legitimate Microsoft .NET platform so has a valid security certificate.

Fake VPN Alert Phishing

Source: Abnormal Security

Login credentials entered on the site will be captured by the attacker and can be used to access the individual’s Office 365 email account and obtain sensitive data in emails and attachments, as well as other data accessible using the Office 365 credentials through single sign-on.

Abnormal Security has found a variety of phishing emails that use variations of this message, which have been sent from several different IP addresses. Since the destination phishing URL is the same in each email, it suggests that the emails are part of the same campaign and have been sent by a single attacker.

The post Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign appeared first on HIPAA Journal.

Russian Sandworm Group Targeting Exim Mail Servers, Warns NSA

A Russian hacking outfit called Sandworm (Fancy Bear) is exploiting a vulnerability in the Exim Mail Transfer Agent, which is commonly used for Unix-based systems. The flaw, tracked as CVE-2019-10149, is a remote code execution vulnerability that was introduced in Exim version 4.87.

An update was released on June 5, 2019 to correct the flaw, but many organizations have still not updated Exim and remain vulnerable to attack.

The vulnerability can be exploited by sending a specially crafted email which allows commands to be executed with root privileges. After exploiting the flaw, an attacker can install programs, execute code of their choosing, modify data, create new accounts, and potentially gain access to stored messages.

According to a recent National Security Agency (NSA) alert, Sandworm hackers have been exploiting the flaw by incorporating a malicious command in the MAIL FROM field of an SMTP message. Attacks have been performed on organizations using vulnerable Exim versions that have internet-facing mail transfer agents.

After exploiting the vulnerability, a shell script is downloaded from a remote server under the control of the hackers which is used to add privileged users, update SSH configurations to allow remote access, disable network security settings, and execute an additional script to allow further exploitation. This would potentially allow the hackers to gain full control of the email server. Were that to happen, all incoming and outgoing email could be intercepted and exfiltrated.

Sandworm is part of Russia’s General Staff Main Intelligence Directorate, otherwise known as GRU. The hackers have previously conducted attacks on countries in Europe and the United States. The group has conducted several cyberattacks on foreign governments is believed to have been involved in Russia’s efforts to influence the outcome of the 2016 presidential election.

The NSA has suggested mitigations to prevent exploitation of the flaw, the most important of which is updating Exim immediately to version 4.93 or a later release. The update will correct the CVE-2019-10149 vulnerability and other vulnerabilities that could potentially be exploited. After updating, administrators should make sure that software versions are regularly checked and updated as soon as new versions are released. Exim Mail Transfer Agent software can be updated through the Linux distribution’s package manager or directly from Exim.

If it is not possible to update immediately, it may be possible to detect and block exploit attempts. For instance, “Snort 3 rule 1-50356 alerts on exploit attempts by default for registered users of a Snort Intrusion Detection System (IDS).” Administrators should also routinely verify there have been no unauthorized system modifications such as additional accounts and SSH keys. Modifications would indicate a compromise.

The NSA recommends limiting user access privileges when installing public-facing mail transfer agents and network segmentation should be used to separate roles and requirements. It is important to keep public mail transfer agents separate from sensitive internal resources in a DMZ enclave, and firewall rules should be set to block unexpected traffic from reaching trusted internal resources. It is also important to only permit mail transfer agents to send outbound traffic to necessary ports. All other ports should be blocked.

“If an MTA DMZ was configured in a least access model, for example to deny by default MTA initiated outbound traffic destined for port 80/443 on the Internet while only permitting traffic initiated from an MTA to necessary hosts on port 80/443, the actors’ method of using CVE-2019-10149 would have been mitigated,” explained the NSA in their alert.

The post Russian Sandworm Group Targeting Exim Mail Servers, Warns NSA appeared first on HIPAA Journal.

Senators Seek Answers from CISA and FBI About Threat to COVID-19 Research Data

Four Senators have written to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) in response to the recent alert warning COVID-19 research organizations that hackers with links to China are conducting attacks to gain access to COVID-19 vaccine and research data.

On May 13, 2020, CISA and the FBI issued a joint alert warning organizations in the healthcare, pharmaceutical, and research sectors that they are prime targets for hackers. Hacking groups linked to the People’s Republic of China have been attempting to infiltrate the networks of U.S. companies to gain access to intellectual property, public health data, and information related to COVID-19 testing, potential vaccines, and treatment information.

“China’s efforts to target these sectors pose a significant threat to our nation’s response to COVID-19,” warned CISA and the FBI. “The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”

In the letter, Thom Tills (R-NC), Richard Blumenthal (D-CT), John Cornyn (R-TX), and Ben Sasse (R-NE) praised the efforts of both agencies to raise awareness of the threat and investigate attacks. “It is absolutely unacceptable for Chinese government affiliated hackers to attempt to steal or disrupt important research from companies and institutions who are developing essential diagnostics, cures, and treatments,” wrote the Senators.

The Senators reiterated the advice offered by both agencies and have urged all U.S. companies and academic institutions involved in the COVID-19 response to take full advantage of the resources suggested by the agencies to improve their cybersecurity defenses and to also ensure than any attempted attacks are reported to the FBI immediately.

The Senators explained that they stand ready and willing to assist both agencies in their efforts to deal with the threat and prevent the theft of intellectual property from U.S. firms, and have asked how they can best support both agencies.

The Senators have asked what additional statutory tools or authorities the agencies need to combat the state-sponsored hacking of U.S. companies more effectively, and what additional financial resources and appropriations are required to allow the agencies to investigate further attempts by state-sponsored hackers to obtain sensitive research data.

The Senators have also requested information on the steps both agencies are taking to inform U.S. companies and research organizations about the threat of attack, and how the agencies are helping companies and research institutions to improve their cybersecurity defenses and prevent further intrusions and data theft.

The Senators have requested answers to the questions in a classified briefing with their staff no later than June 20, 2020.

The post Senators Seek Answers from CISA and FBI About Threat to COVID-19 Research Data appeared first on HIPAA Journal.

H-ISAC Publishes Framework for Managing Identity in Healthcare

The Health Information Sharing and Analysis Center (H-ISAC) has published a framework for CISOs to manage identity and defend their organization against identity-based cyberattacks. This is the second white paper to be published by H-ISAC covering the identity-centric approach to security. The first white paper explains why an identity-centric approach to cybersecurity is now needed, with the latest white paper detailing how that approach can be implemented.

By adopting the framework, CISOs will be able to manage the full identity lifecycle of employees, patients, practitioners, and business partners in a way that guards against cyberattacks on identity, lowers risk, and increases operational efficiencies.

The framework has been developed for CISOs at healthcare organizations of all sizes. As such, it does not offer a one-size-fits-all approach. Instead, components of the framework can be applied differently based on different environments and use cases. CISOs will need to assess the resources available and their unique risks and decide how best to apply the framework.

The framework details the different components that are required in a modern identity-centric approach to cybersecurity and outlines how those components integrate and inter-relate to secure the enterprise.

The central concept of the framework is simple. How to allow users to access resources in a way that protects against cyberattack. At the heart of the framework is an identity governance and administration system, which serves as the central nervous system that ties in all the other components and ensures they work seamlessly together.

The identity governance and administration system allows organizations to establish set rules and processes related to the creation, removal, and updating of accounts, manage policies and processes of all aspects of their identity and access management (IAM) system, manage privilege escalation requests, conduct audits for compliance purposes, and take actions to remediate any misuses of the IAM system.

The framework uses identity directories as an authoritative identity store for an organization, which detail roles, accounts, attributes, and the privileges associated with different roles and accounts. The white paper details three guiding principles for authorization: Granting privileges, managing privileges, and reviewing privileges. Privileges must be tightly controlled and assigned based on roles, rights, and responsibilities. Processes must be defined to manage privileges and update them as circumstances change. Reviews should also be conducted to ensure that users have only been assigned rights that are appropriate for their role and responsibilities.

A few years ago, all that was required to gain access to resources was a password, but threat actors are now adept at stealing passwords and as a result the security utility of passwords has diminished. H-ISAC therefore recommends multi-factor authentication. The framework takes MFA one step further and includes device authentication, human authentication, analytics, and privileged access management to enable continuous, risk-based authentication.

Device authentication ensures only trusted devices are granted access to resources. Human authentication is then required to ensure that the correct person is using that device. Analytics are then used to identify anomalies that could indicate attempts by unauthorized individuals to access resources, such as a device being used to access resources from California and then five minutes later being used in New York. Privileged access management solutions should also be used for session monitoring and to implement additional layers of authentication to prevent credential compromise and limit privilege escalation.

The framework also outlines four different use cases: On-boarding new employees, managing users and changing privileges when an employee’s role changes, credentialing a third-party business partner for limited systems access, and credentialing new patients.

The post H-ISAC Publishes Framework for Managing Identity in Healthcare appeared first on HIPAA Journal.

Alert Issued by Feds to Raise Awareness of Scams Related to COVID-19 Economic Payments

A joint alert issued has been issued by the IRS, DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury to raise awareness of the risk of phishing and other cyberattacks related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

The CARES Act has made $2 trillion available to support businesses and individuals adversely affected by the COVID-19 pandemic, which will help to reduce the financial burden through economic impact payments to eligible Americans. CARES Act payments are being used as a lure in phishing attacks to obtain personal and financial information and attempts have been made to redirect CARES Act payments. All Americans have been urged to be on the lookout for criminal fraud related to the CARES Act and COVID-19.

The U.S. Government reports that many cybercriminal groups are using stimulus-themed lures in phishing emails and text messages to obtain sensitive information such as bank account information. Financial institutions have been asked to remind their customers to practice good cybersecurity hygiene and to monitor for illicit account use and creation.

Criminals are using CARES Act-themed emails and websites to obtain sensitive information, spread malware, and gain access to computer networks. “Themes for these scams might include economic stimulus, personal checks, loan and grant programs, or other subjects relevant to the CARES Act. These CARES Act related cybercriminal attempts could support a wide range of follow-on activities that would be harmful to the rollout of the CARES Act.”

Threat actors may seek to disrupt the operations of organizations responsible for implementing the CARES Act, including the use of ransomware to interrupt the flow of CARES Act funds and to extort money from victims. Federal, state, local and tribal agencies are being urged to review their payment, banking, and loan processing systems and ramp up security to prevent attacks.

Foreign threat actors have been discovered to be submitting fraudulent claims for COVID-19 relief funds, with one Nigerian business email compromise (BEC) gang known to have submitted more than 200 fraudulent claims for unemployment benefits and CARES Act payments. The gang, known as Scattered Canary, has been submitting multiple claims via state unemployment websites to obtain payments using data stolen in W-2 phishing attacks. The gang has submitted at least 174 fraudulent claims with the state of Washington and more than a dozen with the state of Massachusetts. At least 8 states have been targeted to date.

The U.S. Government has been distributing threat intelligence and cybersecurity best practices to help disrupt and deter criminal activity and the U.S. Secret Service is currently focussed on investigative operations to identify individuals exploiting the pandemic to ensure they are brought to justice and any proceeds of the crimes are recovered.

The IRS has reminded taxpayers that it does not initiate contact with taxpayers via email, text message, or social media channels to request personal and financial information such as bank account numbers, credit card information, and PINs. The IRS has warned Americans that copycat domains that may be set up to obtain sensitive information and to carefully check any domain for transposed letters and mismatched SSL certificates. The IRS is only using is and the IRS-run site,

All Americans have been advised to be vigilant and monitor their financial accounts for signs of fraudulent activity and to report any cases of phishing attacks and other scams to the appropriate authorities. They should also alert their employer if they feel they may have fallen for a scam and revealed sensitive information about their organization.

The alert, Avoid Scams Related To Economic Payments, COVID-19, can be viewed on this link.

The post Alert Issued by Feds to Raise Awareness of Scams Related to COVID-19 Economic Payments appeared first on HIPAA Journal.

Web Application Attacks Double as Threat Actors Target Cloud Data

The 2020 Verizon Data Breach Investigations Report shows malware attacks are falling as threat actors target data in the cloud.  This is the 13th year that the report has been produced, which this year contains an analysis of 32,002 security incidents and 3,950 confirmed data breaches from 81 global contributors in 81 countries.

The report confirms that the main motivator for conducting attacks is financial gain. 86% of all security breaches were financially motivated, up from 71% last year. 70% of breaches were due to external actors, with 55% of attacks conducted by cybercriminals.

67% of breaches were the result of credential theft or brute forcing of weak credentials (37%) and phishing and other social engineering attacks (25%). 22% of those breaches involved human error.

Only 20% of breaches were due to the exploitation of vulnerabilities. It should be noted that it is much easier to conduct attacks using stolen credentials rather than exploiting vulnerabilities, so the relatively low number of vulnerability-related attacks may not be due to organizations patching vulnerabilities more promptly.

The ease of conducting attacks using stolen or brute forced credentials has seen malware attacks become less popular. That said, ransomware is proving to be an attractive option, which has seen an increase from 24% to 27% of all malware related attacks.

There was a significant increase in web application attacks over the past 12 months, which doubled to 43% of all breaches. 80% of those breaches involved credential theft. With more organizations moving their data from traditional domain controllers and internal infrastructure, it is no surprise that there has been a sizeable increase in attacks on the cloud.

The data collected for the report does not cover the period of the COVID-19 public health emergency, when many organizations accelerated their cloud migration plans to allow more employees to work from home. It is likely that next year’s report will see an even higher percentage of attacks on cloud resources.

“As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount,” said Tami Erwin, CEO, Verizon Business. “In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious.”

Attack Trends Over the Past 6 Years

Source: Verizon

Cyberattacks and Insider Breaches in Healthcare

Financially motivated cyberattacks accounted for 88% of healthcare breaches, with many of the attacks involving ransomware. 4% of healthcare cyberattacks were conducted for fun and 3% of attacks were conducted out of convenience.

Verizon reports a significant increase in healthcare data breaches in the past 12 months. Last year’s report included 304 healthcare data breaches but this year the number has increased to 521 breaches. The figure below shows the patterns for cyberattacks in the healthcare industry. Crimeware includes malware and ransomware, which is the most common type of attack on healthcare organizations. As in other industry sectors, attacks on web applications are increasing.

Source: Verizon

The healthcare industry usually has a higher than average number of cases of privilege misuse, where insiders with access to sensitive data abuse their access rights to view or steal data. With so many employees given access to patient data and its high value on the black market, this is to be expected.

There is some good news in this year’s report. For the first time privilege misuse has dropped out of the top three causes of healthcare data breaches. This is part of a trend that can be seen across all industry sectors, which suggests that employees are thinking twice about accessing data without authorization and healthcare providers are getting better at protecting data.

Verizon notes that there has also been a decrease in breaches involving multiple actors, which is usually a third-party such as an identity thief working with an insider who supplies the data. In the 2019 report, 4% of breaches involved multiple actors whereas in 2020 the percentage dropped to 1%. The percentage of breaches caused by internal actors vs external actors also changed significantly. In the 2019 report, 59% of healthcare breaches were caused by internal actors with 42% caused by external attackers. This year’s report sees internal actors responsible for 48% of breaches with external actors accounting for 51% of breaches.

This year, the biggest cause of breaches in healthcare were miscellaneous errors and breaches of web applications. The main cause of those miscellaneous breaches was misdirection, which is the sending of emails to incorrect recipients and mass mailings that see letters sent to incorrect patients, such as happens when there is a mail merge error.

The post Web Application Attacks Double as Threat Actors Target Cloud Data appeared first on HIPAA Journal.

April 2020 Healthcare Data Breach Report

There were 37 healthcare data breaches of 500 or more records reported in April 2020, up one from the 36 breaches reported in March. As the graph below shows, the number of breaches reported each month has been fairly consistent and has remained well below the 12-month average of 41.9 data breaches per month.

Healthcare data breaches by month (2019-2020)

While the number of breaches increased slightly, there was a significant reduction in the number of breached healthcare records in April. 442,943 healthcare records were breached in April, down 46.56% from the 828,921 records breached in March. This is the second successive month where the number of exposed records has fallen. While this is certainly good news, it should be noted that in the past 12 months, 39.92 million healthcare records have been breached.

Healthcare records breached in the past 6 months

Largest Healthcare Data Breaches in April 2020


Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Beaumont Health Healthcare Provider 112,211 Hacking/IT Incident Email
Meridian Health Services Corp. Healthcare Provider 111,372 Hacking/IT Incident Email
Arizona Endocrinology Center Healthcare Provider 74,122 Unauthorized Access/Disclosure Electronic Medical Record
Advocate Aurora Health Healthcare Provider 27,137 Hacking/IT Incident Email, Network Server
Doctors Community Medical Center Healthcare Provider 18,481 Hacking/IT Incident Email
Andrews Braces Healthcare Provider 16,622 Hacking/IT Incident Network Server
UPMC Altoona Regional Health Services Healthcare Provider 13,911 Hacking/IT Incident Email
Colorado Department of Human Services, Office of Behavioral Health Healthcare Provider 8,132 Unauthorized Access/Disclosure Network Server
Agility Center Orthopedics Healthcare Provider 7,000 Hacking/IT Incident Email
Beacon Health Options, Inc. Business Associate 6,723 Loss Other Portable Electronic Device


Causes of Healthcare Data Breaches in April

As was the case in March, hacking and IT incidents were the leading causes of healthcare data breaches. Unauthorized access/disclosure incidents were the next most common causes of breaches, an increase of 77.77% from the previous month.

333,838 records were compromised in the 18 reported hacking/IT incidents, which account for 75.37% of all records breached in April. The average breach size was 18,547 records and the median breach size was 4,631 records. There were 16 reported unauthorized access/disclosure incidents in April. The average breach size was 6,171 records and the median breach size was 1,122 records. In total, 98,737 records were breached across those 16 incidents.

There were two theft incidents reported in April, both involving portable electronic devices. The records of 3,645 individuals were stored on those devices. There was also one lost portable electronic device containing the records of 6,723 patients.

causes of healthcare data breaches in April 2020

The bar chart below shows the location of breached protected health information. The chart shows email is by far the most common location of breached health information. 48.65% of all reported breaches in April involved PHI stored in emails and email attachments. The majority of those breaches were phishing attacks. Most healthcare data breaches involve electronic data, but one in five breaches involved PHI in paper files and charts.

Location of breached PHI in April 2020

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in April with 30 breaches reported. 4 health plans reported a breach in April, and three breaches were reported by business associates of HIPAA-covered entities. A further 8 breaches had some business associate involvement.

Healthcare Data Breaches by State

April’s data breaches were reported by covered entities and business associates in 22 states. Florida and Texas were the worst affected with 4 breaches each. There were three data breaches reported in Michigan and Pennsylvania, and two breaches affecting covered entities and business associates based in California, Connecticut, Minnesota, Missouri, and Wisconsin. One breach was reported by entities based in Arkansas, Arizona, Colorado, Delaware, Indiana, Massachusetts, Maryland, North Carolina, New Mexico, Nevada, Tennessee, Utah, and Washington.

HIPAA Enforcement Activity in April

There were no financial penalties imposed on covered entities or business associates by state Attorneys General or the HHS’ Office for Civil Rights in April.

The post April 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.