Healthcare Data Security

1H 2022 Healthcare Data Breach Report

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021.

Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches.

Reported healthcare data breaches - 1H 2022

The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a 9.1% fall from 2H, 2021, and a 26.8% reduction from 1H, 2021.

breached healthcare records - 1H 2022

While it is certainly good news that data breaches and the number of breached records are falling, the data should be treated with caution, as there have been some major data breaches reported that are not yet reflected in this breach report – Data breaches at business associates where only a handful of affected entities have reported the data breaches so far.

One notable breach is a ransomware attack on the HIPAA business associate, Professional Finance Company. That one breach alone affected 657 HIPAA-covered entities, and only a few of those entities have reported the breach so far. Another major business associate breach, at Avamere Health Services, affected 96 senior living and healthcare facilities. The end-of-year breach report could tell a different story.

Largest Healthcare Data Breaches in 1H 2022

1H 2022 Healthcare Data Breaches of 500 or More Records
500-1,000 Records 1,001-9,999 Records 10,000- 99,000 Records 100,000-249,999 Records 250,000-499,999 Records 500,000 – 999,999 Records 1,000,000+ Records
61 132 117 20 7 6 4

 

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Data Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Unspecified cyberattack
North Broward Hospital District (Broward Health) FL Healthcare Provider 1,351,431 Hacking/IT Incident No Cyberattack through the office of 3rd party medical provider
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Baptist Medical Center TX Healthcare Provider 1,243,031 Hacking/IT Incident No Unspecified cyberattack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Hacking/IT Incident No Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking/IT Incident No Unspecified hacking incident
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking/IT Incident No Unauthorized access to email accounts
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident No Unspecified hacking incident
ARcare AR Healthcare Provider 345,353 Hacking/IT Incident No Malware infection
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Hacking/IT Incident No Unspecified hacking incident
Cytometry Specialists, Inc. (CSI Laboratories) GA Healthcare Provider 312,000 Hacking/IT Incident No Ransomware attack
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Hacking/IT Incident No Unspecified hacking incident
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Refuah Health Center NY Healthcare Provider 260,740 Hacking/IT Incident No Ransomware attack

Causes of 1H 2022 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in 1H 2022, accounting for 277 data breaches or 79.83% of all breaches reported in 1H. That represents a 7.36% increase from 2H, 2021, and a 6.44% increase from 1H, 2021. Across the hacking incidents in 1H, 2022, the protected health information of 19,654,129 individuals was exposed or compromised – 97.22% of all records breached in 1H, 2022.

That represents a 6.51% reduction in breached records from 2H, 2021, and a 26.56% reduction in breached records from 1H, 2021, showing that while hacking incidents are being conducted in very high numbers compared to previous years, the severity of those incidents has reduced.

The average hacking/IT incident breach size was 70,954 records in 1H, 2022 and the median breach size was 10,324 records. In 2H, 2022, the average breach size was 81,487 records with a median breach size of 5,989 records, and in 1H, 2021, the average breach size was 96,658 records and the median breach size was 6,635 records.

In 1H, 2022, there were 52 unauthorized access/disclosure breaches reported – 14.99% of all breaches in 1H, 2022. These incidents resulted in the impermissible disclosure of 278,034 healthcare records, 72.33% fewer records than in 2H, 2021, and 61.37% fewer records than in 1H, 2021. In 1H, 2022, the average breach size was 5,347 records and the median breach size was 1,421 records. In 1H, 2021, the average breach size was 14,778 records and the median was 1,946 records. In 1H, 2021, the average breach size was 9,725 records, and the median breach size was 1,848 records.

The number of loss, theft, and improper disposal incidents has remained fairly constant over the past 18 months, although the number of records exposed in these incidents increased in 1H, 2022 to 279,266 records, up 217.33% from 2H, 2021, and 422.53% from 1H, 2021.

Location of Breached Protected Health Information

Protected health information is stored in many different locations. Medical records are housed in electronic medical record systems, but a great deal of PHI is included in documents, spreadsheets, billing systems, email accounts, and many other locations. The chart below shows the locations where PHI was stored. In several security breaches, PHI was breached in several locations.

The data shows that by far the most common location of breached data is network servers, which is unsurprising given the high number of hacking incidents and ransomware attacks. Most data breaches do not involve electronic medical record systems; however, there have been breaches at electronic medical record providers this year, hence the increase in data breaches involving EHRs. The chart below also shows the extent to which email accounts are compromised. These incidents include phishing attacks and brute force attacks to guess weak passwords. HIPAA-regulated entities can reduce the risk of email data breaches by implementing multifactor authentication and having robust password policies and enforcing those policies. A password manager is recommended to make it easier for healthcare employees to set unique, complex passwords. It is also important not to neglect security awareness training for the workforce – a requirement for compliance with the HIPAA Security Rule.

Location of breached PHI

Where are the Data Breaches Occurring?

Healthcare providers are consistently the worst affected type of HIPAA-covered entity; however, the number of data breaches occurring at business associates has increased. Data breaches at business associates often affect multiple HIPAA-covered entities. These data breaches are shown on the OCR breach portal; however, they are not clearly reflected as, oftentimes, a breach at a business associate is self-reported by each HIPAA-covered entity. Simply tallying up the reported breaches by the reporting entity does not reflect the extent to which business associate data breaches are occurring.

This has always been reflected in the HIPAA Journal data breach reports, and since June 2021, the reporting of data breaches by covered entity type was adjusted further to make business associate data breaches clearer by showing graphs of where the breach occurred, rather than the entity reporting the data breach. The HIPAA Journal data analysis shows the rising number of healthcare data breaches at business associates.

1H 2022 Data Breaches by State

As a general rule of thumb, U.S. states with the highest populations tend to be the worst affected by data breaches, so California, Texas, Florida, New York, and Pennsylvania tend to experience more breaches than sparsely populated states such as Alaska, Vermont, and Wyoming; however, data breaches are being reported all across the United States.

The data from 1H 2022, shows data breaches occurred in 43 states, D.C. and Puerto Rico, with healthcare data safest in Alaska, Iowa, Louisiana, Maine, New Mexico, South Dakota, & Wyoming, where no data breaches were reported in the first half of the year.

State Number of Breaches
New York 29
California 23
New Jersey & Texas 18
Florida & Ohio 17
Michigan & Pennsylvania 15
Georgia 14
Virginia 13
Illinois & Washington 12
Massachusetts & North Carolina 10
Colorado, Missouri, & Tennessee 9
Alabama, Arizona, & Kansas 8
Maryland 7
Connecticut & South Carolina 6
Oklahoma, Utah, & West Virginia 5
Indiana, Minnesota, Nebraska, & New Hampshire 4
Wisconsin 3
Arkansas, Delaware, Mississippi, Montana, Nevada, & the District of Columbia 2
Hawaii, Idaho, Kentucky, North Dakota, Oregon, Rhode Island, Vermont, and Puerto Rico 1

HIPAA Enforcement Activity in 1H 2022

HIPAA Journal tracks HIPAA enforcement activity by OCR and state attorneys general in the monthly and annual healthcare data breach reports. In 2016, OCR started taking a harder line on HIPAA-regulated entities that were discovered to have violated the HIPAA Rules and increased the number of financial penalties imposed, with peak enforcement occurring in 2019 when 19 financial penalties were imposed.

2022 has started slowly in terms of HIPAA enforcement actions, with just 4 financial penalties imposed by OCR in 1H, 2022. However, that should not be seen as OCR going easy on HIPAA violators. In July 2022, OCR announced 12 financial penalties to resolve HIPAA violations, bringing the annual total up to 16. HIPAA Journal records show only one enforcement action taken by state attorneys general so far in 2022.

Limitations of this Report

The nature of breach reporting makes generating accurate data breach reports challenging. HIPAA-regulated entities are required to report data breaches to OCR within 60 days of a data breach occurring; however, the number of individuals affected may not be known at that point. As such, data breaches are often reported with an interim figure, which may be adjusted up or down when the investigation is completed. Many HIPAA-regulated entities report data breaches using a placeholder of 500 records, and then submit an amendment, so the final totals may not be reflected in this report. Data for this report was compiled on August 10, 2022.

While data breaches should be reported within 60 days of discovery, there has been a trend in recent years for data breaches to be reported within 60 days of the date when the investigation has confirmed how many individuals have been affected, even though the HIPAA Breach Notification Rule states that the date of discovery is the date the breach is discovered, not the date when investigations have been completed. Data breaches may have occurred and been discovered several months ago, but have not yet been reported. These will naturally not be reflected in this report.

This report is based on data breaches at HIPAA-regulated entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. If an entity is not subject to HIPAA, they are not included in this report, even if they operate in the healthcare industry.

The post 1H 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

55% of Healthcare Organizations Suffered a Third-Party Data Breach in the Past Year

Cyberattacks on businesses have been increasing year over year across all industry sectors, and there has been an increase in cyberattacks involving third parties. From the point of view of a cyber threat actor, it makes more sense to attack a vendor such as a managed service provider, as if the attack is successful, the threat actor will be able to gain access to the networks of the company’s clients. Already in 2022, there have been several major cyberattacks on vendors used by healthcare organizations, one of which impacted 650 of the company’s HIPAA-covered entity clients.

SecureLink, a provider of access management solutions for businesses, has recently explored how businesses are managing the risk associated with providing vendors with privileged access to their systems and has identified areas where the risks are not being effectively managed, even though efforts are being made to improve cybersecurity.

For SecureLink’s latest report, The State of Cybersecurity and Third-Party Remote Access Risk, the company surveyed 600 U.S. companies across a range of industry sectors, including healthcare, to learn more about their cybersecurity practices and how they are managing third-party risk.

55% of healthcare organizations that responded to the survey said they had experienced a third-party data breach in the last 12 months, which was the second highest percentage of all industry sectors, beaten only by the financial sector where 58% of companies had experienced a third-party data breach. Both of these industry sectors rely heavily on third parties, and those third parties have access to sensitive data that is of high value to cybercriminals.

65% of healthcare organizations said they did not feel that their IT systems are making third-party security and access a top priority, and across all industry sectors, 50% of companies said managing third-party security is overwhelming and a drain on internal resources.

Organizations had a budget of $365 million for IT in 2021, of which $78.5 million of which is spent on cybersecurity – Around 21.5% of the IT budget, yet despite the investment in cybersecurity, 54% of organizations experienced a data breach in the past 12 months. 52% of respondents said there had been an increase in cyberattacks compared to the previous year, and the number of third-party attacks increased from 44% to 49%.

The survey confirmed that organizations are starting to understand how to keep their systems and data safe; however, the number of cyberattacks is increasing and so is the sophistication of those attacks. The result is little headway has been made, with many organizations struggling to innovate their cybersecurity as fast as other aspects of their operations.

The SecureLink survey indicates organizations are failing to treat third-party vendors relative to the security risk they pose. For example, in 2022, only 49% of organizations had a comprehensive inventory of all third parties that had access to their systems. This is an improvement from the 42% in 2021, but only slightly. There has been a greater percentage increase in organizations that have identified all third parties with access to their most sensitive data, rising from 35% in 2021 to 45% in 2021, but the figure is still worryingly low.

“While there is a statistically significant increase in terms of identifying third parties, that number is hovering under 50% while the reliance on third parties and a remote workforce is trending upwards. And while there is an increase in those measures, organizations are still finding managing third-party access to be overwhelming. All those numbers add up to a major risk point,” said SecureLink.

One of the main problems that organizations face is the complexity of their third-party relationships, which was stated as a problem by 48% of respondents. Added to that is monitoring is often a manual process, which is not a great use of internal resources that are already stretched. The survey revealed only 36% of organizations have automated the process of monitoring third parties. With a lack of monitoring and automation, it is not surprising that 47% of respondents said they are not highly effective at detecting third-party threats.

“The biggest challenge businesses face is having the manpower to manage third-party identities and cyber risk. With more streamlined systems and automated workflows, access is more manageable and less burdensome on employees,” said SecureLink. “Automation and efficiency are key factors in a successful cybersecurity strategy. Using security technology to streamline operations creates efficiency, which in turn, will be more effective in mitigating threats and pulling in/retaining talent to manage cybersecurity.”

The post 55% of Healthcare Organizations Suffered a Third-Party Data Breach in the Past Year appeared first on HIPAA Journal.

Ransom Payment Data Suggests More Victims are Choosing Not to Pay

The average payment in ransomware attacks increased in Q2, 2022; however, there was a fall in the median payment for the second successive quarter, indicating more victims of ransomware attacks are choosing not to pay up. The data comes from the latest quarterly report from the ransomware remediation firm, Coveware. The average ransom payment in Q2, 2022 was $228,125, which is an 8% increase from the previous quarter. The median ransom payment was $36,360, which is a 51% decrease from Q1, 2022.

According to Coveware, the recent fall in payments indicates the changing profile of attacked companies, with ransomware gangs now tending to focus on attacking mid-market companies. Attacks on large enterprises are costly due to their large budgets for cybersecurity but the potential returns are greater. While ransomware attacks on mid-market firms mean the ransom demands must be smaller, the risks associated with attacks are also lower. Mid-market firms appear to be the sweet spot. The profits are sufficiently high to make the attacks worthwhile, and the ransomware gangs are less likely to face geopolitical pressure and action by law enforcement. Coveware also notes that a trend has been identified where large enterprises are refusing to even engage with ransomware gangs if their initial ransom demand is too large.

When ransomware gangs started exfiltrating data prior to encrypting files the percentage of victims paying ransoms increased, as many victims chose to pay even if they had backups to prevent the sale or public disclosure of the stolen data. In Q2, 2022, 86% of ransomware attacks involved data theft and a threat to release the stolen data publicly. While the payment of the ransom is needed to prevent the publication of stolen data, Coveware notes that it has seen growing evidence that ransomware gangs are not making good on their promise to delete the data, which means the ransom payment was unnecessary.

If a ransomware attack involves data theft, Coveware says payment of the ransom does not mitigate the risk of harm, nor any liability the victim has to protect impacted parties. While some victims might view payment of the ransom as a way to protect against future class action lawsuits, “Paying a ransom is not going to thwart a meritless lawsuit, and there has been no case law to suggest that the risk of a suit happening, or the resulting settlements or damages are mitigated by paying a ransom,” said Coveware. Coveware also suggests that paying the ransom does not limit brand damage, nor does it show that a company has done everything to protect customers or clients. “A far better narrative is to be candid, honest, and contrite. Your impacted constituents will understand that this happens, and will appreciate the transparency.”

Q2, 2022 saw a change in the ransomware landscape following the shutdown of the Conti ransomware operation, which instead is working with smaller ransomware operations. Ransomware attacks are now spread out much more broadly across several smaller operations, with BlackCat having a market share of 16.9%, followed by LockBit 2.0 with 13.2%, Hive with 6.3%, and Quantum, Conti V2, Phobos, Black Basta, and AvosLocker, which each have a market share of around 5%. There appears to be a trend where RaaS affiliates are choosing to spread their attacks across multiple ransomware brands.

As was the case in Q1, 2022, the most popular attack vector is still email phishing, although RDP compromise remains popular. The exploitation of software vulnerabilities and other attack vectors are still used, and Coveware suggests that affiliates are not limiting themselves to one attack vector.

In Q2, 2022, professional services was the most attacked sector, accounting for 21.9% of attacks, followed by the public sector (14.4%), healthcare (10%), and software services (9.4%). There was a slight increase in the number of attacks on healthcare organizations, which is largely due to the Hive ransomware gang expanding its operations. The Hive ransomware gang has no qualms about conducting attacks on the healthcare sector.

The post Ransom Payment Data Suggests More Victims are Choosing Not to Pay appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million

The average cost of a healthcare data breach has reached double digits for the first time ever, according to the 2022 Cost of a Data Breach Report from IBM Security. The average cost of a healthcare data breach jumped almost $1 million to a record high of $10.1 million, which is 9.4% more than in 2021 and 41.6% more than in 2020. Across all industry sectors, the average cost of a data breach was up 2.6% year over year at $4.35 million, which is the highest average cost in the 17 years that IBM has been producing its annual cost of a data breach reports and 12.7% higher than in 2020.

The report is based on a study of 550 organizations in 17 countries and regions and 17 different industry sectors that suffered data breaches between March 2021 and March 2022. For the report, IBM Security conducted more than 3,600 interviews with individuals in those organizations. 83% of organizations represented in the report have experienced more than one data breach, and 60% of organizations said the data breach resulted in them having to increase the price of their products and services.

Summary of 2022 Data Breach Costs

  • Global average cost of a data breach – $4.35 million (+2.6%)
  • Global average cost per record – $164 (+1.9%)
  • Average cost of a U.S. data breach – $9.44 million (+4.3%)
  • Average cost of a healthcare data breach – $10.1 million (+9.4%)
  • Average cost of a ransomware attack – $4.54 million (-1.7%)
  • Average cost where phishing was the initial attack vector $4.91 million
  • Average cost of a $1 million record data breach – $49 million
  • Average cost of 50-60 million record data breach – $387 million

For the first time in at least six years, the biggest component of the data breach costs was detection and escalation, which cost $1.44 million in 2022, up from $1.24 million in 2021. Next was lost business, which cost an average of $1.42 million in 2022, down from $1.59 million in 2022. Post-breach response increased slightly from $1.14 million in 2021 to $1.18 million in 2022, and there was a small increase in notification costs, which rose from $0.27 million in 2021 to $0.31 million in 2022.

On average, 52% of the breach costs are incurred in the first year, 29% in the second year, and 19% after two years. In highly regulated industries such as healthcare, a much larger percentage of the costs are incurred later, with 45% of costs in the first year, 31% in year 2, and 24% later than year 2, which was attributed to regulatory and legal costs.

The report explored the different initial attack vectors and found that the most common entry route was the use of stolen credentials, which accounted for 19% of all data breaches, with these data breaches costing an average of $4.5 million. Phishing attacks accounted for 16% of all data breaches, and phishing was the costliest attack vector, with an average data breach cost of $4.91 million, closely followed by business email compromise attacks, which accounted for 6% of all data breaches and cost an average of $4.89 million. Cloud misconfigurations accounted for 15% of data breaches and cost an average of $4.14 million, and vulnerabilities in third-party software accounted for 13% of data breaches and cost an average of $.55 million per breach.

The average time to identify a data breach was 207 days in 2022, down from 212 days in 2021. The average time to contain a data breach was 277 days, down from 287 days in 2021. A shorter data breach lifecycle (time to identify and contain a breach) equates to a lower breach cost. Data breaches with a lifecycle of fewer than 200 days cost 26.5% ($1.12 million) less on average than data breaches with a lifecycle of over 200 days.

One of the most important steps to take to improve security is to adopt zero trust strategies, but only 59% of organizations had adopted zero trust, and almost 80% of critical infrastructure organizations had yet to implement zero-trust strategies. The average breach cost for critical infrastructure organizations without zero trust was $5.4 million, which was $1.17 million more than those that had implemented zero trust strategies.

Cost of Data Breaches by Breach Cause

The average cost of a ransomware attack fell slightly by 1.7% to $4.54 million, not including the cost of the ransom itself. Ransomware attacks increased significantly in 2022 and accounted for 11% of all data breaches, up from 7.8% of data breaches in 2021. Ransomware attacks took 49 days longer to identify and contain than the global average, taking an average of 237 days to identify the intrusion and 89 days to contain the attack. Paying the ransom only saw a $610,000 reduction in data breach costs, on average, not including the amount of the ransom. Since ransom amounts are often high, the report indicates that paying the ransom does not necessarily lower the breach cost. In fact, paying may well increase the cost of the breach.

Around one-fifth of data breaches were the result of supply chain compromises. The average cost of a supply chain compromise was $4.46 million, which was 2.5% higher than the overall average cost of a data breach. It took an average of 235 days to identify the breach and 68 days to contain the breach – 26 days more than the average data breach

45% of data breaches occurred in the cloud, with data breaches in the public cloud costing considerably more than data breaches with a hybrid cloud model. 43% of organizations that experienced a data breach in the cloud were in the early stages of their migration to the cloud and had not started applying security practices to secure their cloud environments. Organizations in the early stages of cloud adoption had data breach costs of an average of $4.53 million, whereas those at a mature stage had average breach costs of $3.87 million.

Data Breach Cost Savings

IMB identified several steps that organizations can take to reduce the financial cost and reputational consequences of a data breach. The main cost-saving elements were:

  • Fully deployed security AI and automation – $3.05 million
  • Incident response team with regularly tested IR plan – $2.66 million
  • Adoption of zero trust – $1.5 million
  • Mature cloud security practices – $720,000
  • Being fully staffed vs insufficiently staffed $550,000
  • Use of extended detection and response (XDR) technologies – 29-day reduction in response time

The post IBM: Average Cost of a Healthcare Data Breach Reaches Record High of $10.1 Million appeared first on HIPAA Journal.

Tenet Healthcare Cyberattack Had a $100 Million Unfavorable Impact in Q2, 2022

A cyberattack and data breach cost Tenet Healthcare $100 million in lost revenue and mitigation costs in Q2, 2022. Dallas, TX-based Tenet Healthcare is one of the largest healthcare providers in the United States, running 65 hospitals and more than 450 healthcare facilities across the United States through its brands and subsidiaries. In April 2022, Tenet experienced a cyberattack that caused major disruption to its IT systems and acute care operations for several weeks. The attack forced the staff forced to work with pen and paper during the recovery period, and at least one of the affected hospitals had to temporarily divert ambulances to other facilities. The attack also disrupted its phone system, with doctors forced to leave the premises to make phone calls. The cyberattack affected at least two hospitals and started on April 20, 2022. Tenet did not publicly release details of the attack, such as if it involved ransomware.

According to Tenet’s Q2 2022 earnings report, the attack has had a $100 million unfavorable EBITDA (earnings before interest, taxes, depreciation, and amortization) impact. Adjusted admissions fell by 5.3% year-over-year, with total admissions down 8% from Q2, 2021, and same-hospital net patient service revenue was down 0.2% as a direct result of the cyberattack. Over the quarter, Tenet saw a reduction in income of 68% compared to Q1, 2021, which fell to $38 million, and its operating revenue was down 6.4% to $4.6 million for the quarter. The attack was also partly responsible for a 2.8-day increase in its outstanding accounts receivable.

Tenet CEO Saum Sutaria said IT systems at the affected hospitals had to be totally rebuilt, and while the cyberattack had a significant business and financial impact, Tenet still recorded a strong quarter. Sutaria said the company had ample cybersecurity insurance which has helped to reduce the overall financial impact of the cyberattack. Its insurance policies paid out $5 million in Q2, 2022. The cost of the attack is significant, but it is comparable to other cyberattacks. For example, the ransomware attack on Scripps Health that affected 5 hospitals and 19 outpatient facilities cost Scripps Health $112.7 million in lost revenue and remediation costs.

Tenet will also have to cover further costs. A class action lawsuit was filed in Florida in June that alleges Tenet failed to implement appropriate security safeguards to protect against cyberattacks and did not provide adequate notifications to affected individuals. The lawsuit also alleges that notification letters have still not been sent to all individuals affected by the data breach.

The post Tenet Healthcare Cyberattack Had a $100 Million Unfavorable Impact in Q2, 2022 appeared first on HIPAA Journal.

NIST Updates Guidance on HIPAA Security Rule Compliance

The National Institute of Standards and Technology (NIST) has updated its guidance for HIPAA-regulated entities on implementing the HIPAA Security Rule to help them better protect patients’ personal and protected health information.

The Security Rule of the Health Insurance Portability and Accountability Act established national standards for protecting the electronic protected health information (ePHI) that HIPAA-regulated entities create, receive, maintain or transmit. Ensuring compliance with the HIPAA Security Rule is more important than ever due to the increasing number of cyberattacks on HIPAA-regulated entities.

NIST published the first revision of its HIPAA Security Rule guidance in 2008, 6 years before the release of the NIST Cybersecurity Framework. Over the past 14 years, NIST has released other cybersecurity guidance and has regularly updated its Security and Privacy Controls (NIST SP 800-53). One of the main reasons for updating the HIPAA Security Rule guidance was to integrate it into NIST guidance that did not exist when Revision 1 was published in 2008.

“One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST cybersecurity specialist. “The revision is more actionable so that healthcare organizations can improve their cybersecurity posture and comply with the Security Rule.”

NIST has mapped the elements of the HIPAA Security Rule to the NIST Cybersecurity Framework subcategories, the controls in NIST SP 800-53, has increased the emphasis on the risk management component of the guidance, and has integrated enterprise risk management concepts. NIST has also factored in the feedback received from healthcare industry stakeholders in its pre-draft call for comments.

The latest revision is more of a refresh than an overhaul. The structure of the guidance has only changed slightly with the content updated to have an increased emphasis on assessment and management of risk to ePHI

“We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs,” said Marron. “Our goal is to offer guidance and resources you can use in one readable publication.”

Comments will be accepted by NIST on the updated guidance – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2) – until September 21, 2022.

The post NIST Updates Guidance on HIPAA Security Rule Compliance appeared first on HIPAA Journal.

June 2022 Healthcare Data Breach Report

June 2022 saw 70 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – two fewer than May and one fewer than June 2021. Over the past 12 months, from July 2021 to June 2022, 692 large healthcare data breaches have been reported and the records of 42,431,699 individuals have been exposed or impermissibly disclosed. The past two months have seen data breaches reported at well over the 12-month average of 57.67 breaches a month.

The past 6 months have seen data breaches reported at similar levels to the second half of 2021 (345 in 1H 2022 v 347 in 2H 2021), but data breaches are down 6.25% from the first half of 2021 (368 in 1H 2021 v 345 in 2H 2022).

Healthcare data breaches in the past 12 months

For the third successive month, the number of exposed or compromised records has increased. In June, 5,857,143 healthcare records were reported as breached. That is the highest monthly total so far in 2022. June saw 32.48% more records breached than the previous month and 65.64% more than the monthly average over the past 12 months.

While huge numbers of healthcare records are being breached, fewer records were breached in the first half of 2022 than were breached in either the first half or the second half of 2021. In 1H 2022, 20,191,930 records were breached – 26.84% fewer than the 27,600,651 records breached in 1H 2021 and 9.2% fewer than the 22,239,769 records breached in 2H 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in June 2022

There were 31 reported breaches of 10,000 or more healthcare records in June – the same number as May 2022  – two of which affected more than 1.2 million individuals. Several healthcare providers submitted breach reports in June 2022 due to the ransomware attack on the HIPAA business associate, Eye Care Leaders. At least 37 healthcare providers are now known to have been affected by that ransomware attack and more than 3 million records are known to have been exposed in the attack.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Cause of Breach
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Other Eye Care Leaders ransomware attack
Baptist Medical Center TX Healthcare Provider 1,243,031 Network Server Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Network Server Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Network Server Ransomware attack
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Network Server Eye Care Leaders ransomware attack
Spectrum Eye Physicians CA Healthcare Provider 175,000 Network Server Eye Care Leaders ransomware attack
90 Degree Benefits, Inc. WI Business Associate 172,450 Network Server Unspecified hacking incident
Michigan Avenue Immediate Care IL Healthcare Provider 144,104 Network Server Unspecified hacking and data theft incident
Mattax Neu Prater Eye Center, Inc. MO Healthcare Provider 92,361 Electronic Medical Record Eye Care Leaders ransomware attack
Sight Partners Physicians, P.C. WA Healthcare Provider 86,101 Electronic Medical Record Eye Care Leaders ransomware attack
Clinivate LLC CA Business Associate 77,652 Network Server Unspecified hacking incident – No information publicly released
Kaiser Foundation Health Plan of Washington WA Healthcare Provider 69,589 Email Compromised email account
Carolina Eyecare Physicians, LLC SC Healthcare Provider 68,739 Electronic Medical Record Eye Care Leaders ransomware attack
Precision Eye Care, Ltd. MO Healthcare Provider 58,462 Electronic Medical Record Eye Care Leaders ransomware attack
Resolute Health Hospital TX Healthcare Provider 54,239 Network Server Ransomware attack
Aloha Laser Vision HI Healthcare Provider 43,263 Electronic Medical Record Eye Care Leaders ransomware attack
Center for Sight, Inc. MA Healthcare Provider 41,041 Electronic Medical Record Eye Care Leaders ransomware attack
McCoy Vision Center AL Healthcare Provider 33,930 Electronic Medical Record Eye Care Leaders ransomware attack
Chesapeake Eye Center PA MD Healthcare Provider 32,770 Network Server Eye Care Leaders ransomware attack
Kevin Wolf, DPM d/b/a Goldsboro Podiatry NC Healthcare Provider 30,669 Network Server Unspecified hacking incident
Long Vision Center TX Healthcare Provider 29,237 Electronic Medical Record Eye Care Leaders ransomware attack
Foxhall Ob Gyn Associates DC Healthcare Provider 27,000 Other No information
Alabama Eye &Cataract, P.C. AL Healthcare Provider 26,000 Network Server Eye Care Leaders ransomware attack
Lori A. Harkins MD, P.C. dba Harkins Eye Clinic NE Healthcare Provider 23,993 Electronic Medical Record Eye Care Leaders ransomware attack
DialAmerica Marketing, Inc. NJ Business Associate 19,796 Network Server Unspecified hacking incident
Central Florida Inpatient Medicine FL Healthcare Provider 19,625 Email Compromised email account
Yale New Haven Hospital CT Healthcare Provider 19,496 Other Data exposed on a public-facing website
Cherry Creek Eye Physicians and Surgeons, P.C. CO Healthcare Provider 17,732 Electronic Medical Record Eye Care Leaders ransomware attack
Bayhealth Medical Center, Inc. DE Healthcare Provider 17,481 Network Server Ransomware attack on business associate (Professional Finance Company)
Kernersville Eye Surgeons, P.C. NC Healthcare Provider 13,412 Electronic Medical Record Eye Care Leaders ransomware attack
Phelps County Regional Medical Center d/b/a Phelps Health MO Healthcare Provider 12,602 Network Server Data breach at business associate (MCG Health)

Causes of June 2022 Healthcare Data Breaches

As the above table shows, ransomware attacks on healthcare organizations continue to be reported in high numbers. 20 of the 31 affecting 10,000 or more individuals have been confirmed as involving ransomware. When these attacks occur at business associates they can affect many different HIPAA-covered entities. As mentioned, the Eye Care Leaders ransomware attack has affected at least 37 eye care providers, and a ransomware attack on Professional Finance Company affected 657 of its healthcare provider clients.

There is no sign that ransomware attacks on healthcare providers will slow. This month, CISA has warned the health and public health sector that North Korean state-sponsored hackers are known to be targeting the sector and are using ransomware for extortion.

Hacking incidents continue to dominate the breach reports, with all but two of the top 31 breaches involving hacking. 81% of the month’s breaches were reported as hacking/IT incidents, and across those 57 incidents, the records of 5,784,009 were breached – 98.75% of all the breached records in June. The average breach size was 101,474 records and the median breach size was 12,602 records.

There were 6 unauthorized access/disclosure data breaches reported involving 59,224 records. The average breach size was 9,871 records and the median breach size was 5,672 records. 5 loss theft incidents were reported (4 x theft, 1 x loss) involving 12,184 records. The average breach size was 2,437 records and the median breach size was 1,126 records. Finally, there were two improper disposal incidents reported, both of which involving paper/films. In total 1,726 records were exposed as a result of those incidents.

Causes of June 2022 healthcare data breaches

Location of Breached Protected Health Information

The bar graph below shows where the breached information was stored. The high number of network server breaches indicates the extent to which hackers are attacking healthcare organizations. Many of these attacks involved ransomware. Most data breaches reported by healthcare providers do not involve electronic health records, which are separate from other systems. The high number of breaches involving EHRs is due to the ransomware attack on Eye Care Leaders, which provides electronic medical record systems to eye care providers.

Location of breached PHI (June 2022)

Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected HIPAA-covered entity in June, accounting for 55 data breaches of 500 or more records, with 4 data breaches reported by health plans. Business associates of HIPAA-covered entities self-reported 11 data breaches; however, 29 data breaches occurred at business associates but were reported by the affected covered entity rather than the business associate.

Taking this into account, the breakdown of the month’s data breaches by HIPAA-regulated entity type is shown in the chart below.

June 2022 Healthcare Data Breaches - HIPAA-regulated entity type

Geographic Distribution of Breached Entities

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states and the District of Columbia.

State Number of Data Breaches
Washington 5
California, New Jersey, North Carolina, Ohio, South Carolina, Texas, & Virginia 4
Alabama, Missouri, Nebraska, & New York 3
Delaware, Illinois, Kansas, Maryland, Michigan, Pennsylvania, Tennessee, & the District of Columbia. 2
Arizona, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Massachusetts, Mississippi, & Wisconsin 1

HIPAA Enforcement Activity in June 2022

There were no HIPAA enforcement actions announced by the OCR or state attorneys general in June; however, OCR announced this month (July) that a further 12 HIPAA penalties have been imposed, 11 of which were for violations of the HIPAA Right of Access.

The post June 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks

A recent Phishing by Industry Benchmarking Report has confirmed that providing security awareness training to the workforce significantly reduces susceptibility to phishing attacks. The benchmarking study was conducted by KnowBe4 to determine how effective security awareness training is at reducing susceptibility to phishing attacks. For the report, KnowBe4 analyzed data from more than 9.5 million users across 19 industry sectors, over 30,000 organizations, and 23.4 million simulated phishing emails. The study was conducted on small 22,558 organizations with 1-249 employees, 5,876 mid-sized organizations with between 250 and 999 employees, and 1,709 large organizations with 1,000 or more employees.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of data breaches in 2021 involved a human element, confirming that people play a major role in security incidents and data breaches. Cybercriminals continue to target the human element as it provides an easy way of gaining access to business networks, and one of the main whys that employees are targeted is through phishing, which has continued to increase year over year.

Technology exists to block phishing attacks, and while products such as spam filters, antivirus software, and web filters are effective and will block a substantial number of threats, some threats will bypass those defenses and will reach employees. Many organizations fail to invest adequately in security awareness training and intervention, even though it is just as important as technology.

For the study, KnowBe4 established a baseline against which the effect of security awareness training could be measured, which the company calls the phish-prone percentage (PPP). The baseline PPP is the percentage of employees who clicked on simulated phishing emails prior to any security awareness training being provided. Training was then provided to employees and the PPP was recalculated after 90 days and after one year of continuous training.

Across all industry sectors and organization sizes, the average baseline PPP was 32.4%, which was one point higher than in 2021. The baseline in small healthcare and pharmaceutical organizations (32.5%) was second worst out of all industry sectors behind education (32.7%). The PPP was second worst in mid-sized organizations (36.6%) behind the hospitality sector (39.4%), and fourth worst in large organizations with a PPP of 45%.

When the phishing test was repeated 90 days after the provision of training, the PPP had dropped to 19.7% at small healthcare and pharmaceutical organizations, 19.1% at mid-sized organizations, and 17.2% at large organizations – Percentage drops of 12.8, 17.5, and 27.8 respectively. Across all industry sectors, the PPP fell from 32.4% to 17.6%. These figures clearly demonstrate the benefits of providing security awareness training to employees and that training provides a fast return on investment.

The third phase of the study involved a repeat of the phishing test after a year of ongoing training and saw the average PPP across all industry sectors and organization sizes drop from 32.4% to 5%. The healthcare and pharmaceutical sector saw the PPP drop to 4.1% in small organizations, 5.1% in mid-sized organizations, and 5.9% in large organizations. That equates to an 87% improvement in small healthcare and pharmaceutical organizations, an 86% improvement in mid-sized organizations, and an 87% improvement in large organizations.

“As with any significant change, it takes time to break old habits and create new ones, “explained KnowBe4 in the report. “Once these new habits are formed, however, they become the new normal, part of the organizational culture, and influence how others behave, especially new hires who look to others to see what is socially and culturally acceptable in the organization.”

KnowBe4 also pointed out that in order to favorably change overall security behaviors, security awareness training programs need to have a clearly defined and communicated mandate, a strong alignment with organizational security policies, an active connection to overall security culture, and full support of executives. “Without consistent and enthusiastic executive support, raising security awareness within an organization is certain to fail.”

The post Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks appeared first on HIPAA Journal.

Oklahoma State University Settles HIPAA Case with OCR for $875,000

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals.

The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach occurred on November 7, 2017; however, it was later reported that the hackers first had access to the ePHI of patients 20 months earlier on March 9, 2016,

OCR investigators determined OSU-CHS had potentially violated the following provisions of the HIPAA Rules:

  • Impermissible disclosure of the ePHI of 279,865 individuals – 45 C.F.R. § 164.502(a)
  • Failure to conduct a comprehensive and accurate organization-wide risk analysis –45 C.F.R. § 164.308(a)(l)(ii)(A)
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI – 45 C.F.R. 164.308(a)(8)
  • Failure to implement audit controls – 45 C.F.R. § 164.312(b)
  • A security incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
  • Failure to provide timely breach notification to affected individuals – 45 C.F.R. § 164.404
  • Failure to provide timely breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

In addition to the financial penalty, OSU-CHS has agreed to implement a corrective action plan to resolve all areas of non-compliance identified by OCR and will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

This is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111th penalty to be imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.

The post Oklahoma State University Settles HIPAA Case with OCR for $875,000 appeared first on HIPAA Journal.