HIPAA Breach News

ZocDoc Says Programming Error Resulted in Exposure of Patient Data

Posted by HIPAA Journal

ZocDoc, a New York-based provider of a platform that allows prospective patients book appointments with doctors and dentists, has discovered a bug in its software that allowed patient data to be accessed by medical and dental practices when access should have been restricted.

The investigation revealed programming errors had occurred that meant from August 2020 until the errors were discovered and corrected, certain past and current practice staff members had access the provider portal, when their accounts should have been either decommissioned, deleted, or been limited. In all cases, the individuals who could have accessed patient data improperly were healthcare providers and are therefore bound to maintain the privacy and security of patient data. ZocDoc said there is no evidence to suggest there have been any further disclosures of patient data.

Patient data potentially accessed included names, email addresses, phone numbers, appointment histories with the practice, insurance information, Social Security numbers, and medical information provided by individuals in connection with appointments booked through the service.

ZocDoc said it performed a review of its software and code and the programming errors have been corrected. Security practices have now been strengthened, regular security audits will continue to be conducted, and steps have been taken to enhance those audits.

ZocDoc said approximately 7,600 individuals across the United States have been affected. As a precaution against identity theft and fraud, affected individuals have been offered a complimentary 12-month membership to the Experian IdentityWorks identity theft protection service.

Email Account Breaches Reported by Cincinnati Parenting Center

Beech Acres Parenting Center in Cincinnati has discovered email accounts containing client data have been accessed by an unauthorized individual. A digital forensics firm was engaged to assist with the investigation and determine the nature and full scope of the breach. The investigation revealed email accounts were accessed by an unauthorized individual between December 29, 2020 and March 18, 2021.

A review of the emails and attachments in the compromised accounts revealed they contained sensitive client information including names, dates of birth, client account numbers, dates of service, provider names, treatment, and clinical information and, for a subset of individuals, health insurance information, Social Security numbers, and/or driver’s license numbers.

Upon discovery of the breach, all email accounts were secured. Devices and systems are being reviewed and steps will be taken to improve security. The workforce will also be re-educated on identifying and avoiding suspicious emails.

Once the review has concluded, affected individuals will be notified by mail. Individuals whose Social Security or driver’s license number was potentially compromised will be offered complimentary credit monitoring and identity protection services.

The post ZocDoc Says Programming Error Resulted in Exposure of Patient Data appeared first on HIPAA Journal.

Rehoboth McKinley Christian Health Care Services Notifies Patients about February 2021 Ransomware Attack

Posted by HIPAA Journal

Gallup, NM-based Rehoboth McKinley Christian Health Care Services (RMCHCS) has announced it was the victim of a ransomware attack in February 2021 in which patient data was exfiltrated.

The Conti ransomware gang struck in February and stole a range of sensitive data, including job application data, background check information, staff reports, and the protected health information of patients. A sample of the stolen files was uploaded to the Conti data leak site to pressure the healthcare provider into paying the ransom. The data is no longer listed on the leak site, but it is unclear whether the ransom was paid.

RMCHCS discovered on February 16, 2021 that patient data had been stolen by the ransomware group. RMCHSC engaged a third-party computer forensics firm to investigate the attack and determined the attackers exfiltrated data between January 21 and February 5, 2021. A review of the files potentially accessed by the hackers was completed on April 30, 2021 and notification letters were sent to those individuals.

RMCHCS said the data potentially accessed included names, addresses, telephone numbers, email addresses, dates of birth, dates of service, Social Security numbers, driver’s license numbers, password numbers, tribal ID numbers, health insurance information, medical record numbers, provider names, diagnoses, treatment information, prescription information, financial account information, and billing and claims data. The types of data potentially compromised varied from individual to individual.

Free identity monitoring and restoration services have been offered to individuals affected by the breach and RMCHCS said it has hardened its systems against attacks by hackers and has increased security and monitoring.

The breach is believed to have affected 209,280 individuals.

The post Rehoboth McKinley Christian Health Care Services Notifies Patients about February 2021 Ransomware Attack appeared first on HIPAA Journal.

Health Plan of San Joaquin Email Security Breach Affects 420,433 Individuals

Posted by HIPAA Journal

Health Plan of San Joaquin (HPSJ), a non-profit Medi-Cal managed care provider based in French Camp, CA, has discovered an unauthorized individual has gained access to its email system and potentially accessed or obtained sensitive data.

A potential email breach was suspected on or around October 12, 2020 when anomalous activity was identified in the email system. HPSJ determined on October 23, 2020 that multiple employee email accounts had been remotely accessed by an unauthorized individual. A password reset was performed on all affected email accounts to prevent further access, and the investigation confirmed that unauthorized access to email accounts occurred between September 26, 2020 and October 12, 2020.

Following any email system breach, all emails in the compromised accounts must be checked to determine whether they contain any sensitive data. That can be a labor-intensive and time-consuming process. In this case, the process involved a programmatic and painstaking manual review, which revealed that the compromised email accounts contained the protected health information of 420,433 individuals.

The delay in issuing breach notification letters was due to the length of time it took to identify PHI in the email accounts, and the subsequent review of internal records to identify up-to-date contact information for those individuals to allow notification letters to be sent. That process has only recently been completed and breach notification letters started to be sent to affected individuals on May 18, 2021.

The types of PHI in the compromised accounts included names, addresses, and Social Security numbers. While unauthorized email account access was confirmed, no reports have been received to indicate there has been any misuse of PHI; although, as a precaution against identity theft and fraud, affected individuals who had their Social Security number exposed have been offered a complimentary 12-month membership to credit monitoring services through Equifax.

The post Health Plan of San Joaquin Email Security Breach Affects 420,433 Individuals appeared first on HIPAA Journal.

New England Dermatology Discovers Specimen Bottles Disposed of Incorrectly for 10 Years

Posted by HIPAA Journal

New England Dermatology has started notifying 58,106 patients about the exposure of some of their protected health information. In an April 30, 2021 breach notice, New England Dermatology explained the privacy breach was due to the improper disposal of specimen bottles by its in-house pathology laboratory.

The lab should have been sending the specimen bottles for shredding or incineration since the specimen bottles had printed labels that included patient data covered by the HIPAA Rules; however, they were discarded as regular trash. The information on the bottles included patients’ first and last names, birth dates, dates of specimen collection, name of provider who took the specimen, and body part from which the specimen was taken. No other information was included on the labels. The regular trash, including the specimen bottles, was collected by a waste contractor that serviced the building and was sent to landfill.

The improper disposal dated back to February 4, 2011 and continued until the HIPAA violation was discovered on March 31, 2021. Any individual whose specimen(s) was analyzed by its pathology lab during that time will have had the above information exposed. New England Dermatology is unaware of any cases of attempted or actual misuse of patient data.

In response to the discovery, policies and procedures were immediately changed and further training has been provided to staff members.

Alaska Department of Health and Social Services Reports Malware Attack

On May 18, 2021, the Alaska Department of Health and Social Services (DHSS) announced that that its website, dhss.alaska.gov, was affected by a malware attack. The website was taken offline on May 17, 2021 to prevent harm to its servers, systems, and databases, and the website will remain offline until the attack is remediated and fully investigated.

In addition to the main DHSS website, some other systems have been taken offline including its background check system, behavioral health and substance abuse management system, the Alaska vital records system, Case Management System for TANF work activities, and the system used by schools to report vaccine data for public health purposes.

The DHSS does not know how long the investigation will take nor for how long the above systems will remain offline. It is unclear who launched the attack and the motives of the attackers. Further information will be made available to the public as details about the attack are confirmed, including if protected health information has been compromised.

The post New England Dermatology Discovers Specimen Bottles Disposed of Incorrectly for 10 Years appeared first on HIPAA Journal.

PHI of up to 50,000 Patients of Arizona Asthma and Allergy Institute Exposed Online

Posted by HIPAA Journal

Arizona Asthma and Allergy Institute in Peoria, AZ has discovered the protected health information of up to 50,000 patients has been temporarily exposed online and could potentially have been accessed by an unauthorized individual.

The affected patient data had been exposed for a brief period in September 2020 under the name of a different organization. Upon discovery of the security incident, a third-party computer forensics firm was engaged to investigate and determine the scope of the security breach and the extent to which patient data had been affected.

The investigation confirmed on March 8, 2021 that the types of data exposed included first and last names, patient identification numbers, provider names, health insurance information, and treatment cost information. Affected patients had received medical services from the Arizona Asthma and Allergy Institute between October 1, 215 and June 15, 2020.

While the exposure of data was confirmed, no evidence was found to indicate any patient data has been misused; however, affected patients have been advised to monitor their explanation of benefits statements for any signs of fraudulent activity.

Arizona Asthma and Allergy Institute has since taken steps to enhance security to prevent any similar incidents in the future.

Package of Documents Containing PHI of 4,571 Patients of Lost in Transit

Irvine, CA-based Exceltox Laboratories has notified 4,571 individuals about the potential exposure of some of their protected health information.

Exceltox is a CLIA-certified laboratory that provides clinical and toxicology testing services, including COVID-19 tests. On February 15, 2021, Exceltox sent a package containing documents related to COVID-19 tests performed for patients via UPS to its document scanning vendor.

Exceltox believed that the package had been safely delivered, but later discovered the package had not arrived at its intended destination. Exceltox worked with UPS to try to locate the missing package but it has not yet been found. According to UPS documentation, an attempt was made to deliver the package, but the offices of the document scanning company were closed. The package was returned to the depot for redelivery, but the package was never redelivered. Efforts are continuing to try to locate the missing package.

The documents in the package included full names, addresses, phone numbers, Social Security numbers, dates of birth, genders, medical provider names, patient IDs, test types, collection dates, insurance provider names, insurance plan names, and policy numbers and/or group numbers.

The post PHI of up to 50,000 Patients of Arizona Asthma and Allergy Institute Exposed Online appeared first on HIPAA Journal.

UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled

Posted by HIPAA Journal

A lawsuit filed against Universal Health Services (UHS) following a 2020 data breach has been allowed to proceed; however, only for one of the patients named on the lawsuit.

UHS operates around 400 hospitals and care centers in the United States and the United Kingdom. In September 2020, UHS suffered a ransomware attack in which sensitive data was exfiltrated. The Ryuk ransomware gang threatened to release the stolen data on a leak site if the ransom was not paid, although the UHS investigation found no evidence of any data misuse.

The attack affected all 400 UHS care sites and caused significant disruption, with IT systems finally being brought back online a month after the attack. UHS was forced to postpone some scheduled appointments as a result of the attack.

A lawsuit was filed in the U.S. District Court, Eastern District of Pennsylvania by the law firm Morgan & Morgan naming three patients as plaintiffs – Graham v. Universal Health Service Inc. The lawsuit alleged negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence. Two of the plaintiffs sought damages for the exposure of sensitive data, which they claimed placed them at an increased risk of identity theft and fraud.

As is often the case in data breach lawsuits, the claims of two of the plaintiffs – Barry Graham and Angela Morgan – were deemed to be too speculative and that an increased risk of identity theft and fraud was not sufficient for standing as it did not constitute harm. The plaintiffs were unable to provide evidence to support their claim, with U.S. District Judge Gerald McHugh noting that in cases of data theft in ransomware attacks, the theft of data is “generally the means to an end: extorting payment,” and that the courts could only speculate as to whether the stolen data was in a form that would allow the attackers to make unauthorized transactions in the names of the plaintiffs and whether they would actually be intended targets in future criminal acts by the hackers.

The claim of the third plaintiff, Stephen Motkowicz, was determined to be sufficient to survive the motion to dismiss. Motkowicz had an appointment for a surgical procedure postponed as a result of the attack. Motkowicz required surgery to treat a medical condition and, as a result of the delay, was forced to take further time off work and ultimately lost his health insurance through his employer and was forced to purchase an insurance policy at a higher price.

“Plaintiff’s injury is not speculative, as his financial expenditures allegedly occurred in response to the data breach and the corresponding cancellation of his surgery,” said Judge McHugh. While his claim was sufficient to survive the motion to dismiss, Judge McHugh said the theory of causation provided a significant challenge, which would have to be evaluated through further discovery to determine if it was sufficient to have standing.

The post UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled appeared first on HIPAA Journal.

April 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month.

Healthcare data breaches in the past 12 months

High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021.

Healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in April 2021

There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents.

Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies, Accellion, and CaptureRX, have affected multiple healthcare provider clients.

The majority of ransomware attacks now involve data theft prior to file encryption, with the stolen data used as leverage to get breach victims to pay. Large quantities of data are stolen in the attacks. The top three data breaches of the month all involved the use of ransomware and involved 1.3 million healthcare records.

There has been some positive news this month. In the wake of the ransomware attack on Colonial Pipeline, multiple ransomware gangs appear to have ceased operations and at least two have now taken the decision not to attack healthcare organizations. This news should naturally be taken with a large pinch of salt, as similar promises were made by certain ransomware gangs at the start of the pandemic and attacks continued at high levels.

Name of Covered Entity Covered Entity Type Business Associate Involvement Individuals Affected Type of Breach Reported Cause of Breach
Trinity Health Business Associate Yes 586,869 Hacking/IT Incident Ransomware (Accellion)
Bricker & Eckler LLP Business Associate Yes 420,532 Hacking/IT Incident Ransomware
Health Center Partners of Southern California Business Associate Yes 293,516 Hacking/IT Incident Ransomware (Netgain Technologies)
Total Health Care Inc. Health Plan No 221,454 Hacking/IT Incident Phishing
Wyoming Department of Health Health Plan No 164,010 Unauthorized Access/Disclosure Exposure of PHI over Internet
Home Medical Equipment Holdco, LLC Healthcare Provider No 153,013 Hacking/IT Incident Phishing
Health Aid of Ohio, Inc. Healthcare Provider No 141,149 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Woodholme Gastroenterology Healthcare Provider No 50,000 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Neighborhood Healthcare Healthcare Provider Yes 45,200 Hacking/IT Incident Ransomware (Netgain Technologies)
Crystal Lake Clinic PC Healthcare Provider No 37,331 Hacking/IT Incident Not confirmed
RiverSpring Health Plans Health Plan No 31,195 Hacking/IT Incident Phishing
Middletown Medical Imaging Healthcare Provider No 29,945 Hacking/IT Incident Exposure of PHI over Internet
St. John’s Well Child and Family Center, Inc. Healthcare Provider No 29,030 Hacking/IT Incident Unspecified hacking and data exfiltration attack
MailMyPrescriptions.com Pharmacy Corporation Healthcare Provider No 24,037 Hacking/IT Incident Phishing
Squirrel Hill Health Center Healthcare Provider No 23,869 Hacking/IT Incident Malware
Eastern Shore Rural Health System Inc. Healthcare Provider Yes 23,282 Unauthorized Access/Disclosure Not confirmed
Faxton St. Luke’s Healthcare Healthcare Provider Yes 17,656 Hacking/IT Incident Ransomware (CaptureRX)
Midwest Transplant Network, Inc. Healthcare Provider No 17,580 Hacking/IT Incident Ransomware
Baptist Health Arkansas Healthcare Provider Yes 16,765 Hacking/IT Incident Hacking of business associate (Foley & Lardner, LLP)

Causes of April 2021 Healthcare Data Breaches

Hacking/IT incidents, which include malware and ransomware attacks, dominated the breach reports in April 2021 and accounted for 67.74% of all reported breaches (42 incidents). These incidents involved 85.93% of all breached records in April. The mean breach size was 52,851 records and the median breach size was 6,563 records.

There were 17 incidents classed as unauthorized access/disclosures involving 358,870 records – 13.89% of all records breached in April. The mean breach size was 21,110 records and the median breach size was 2,704 records.

Loss and theft incidents continue but only at very low levels. There were just two reported cases of theft of devices containing PHI and one loss incident reported. 4,500 records were breached in these 3 incidents.

April 2021 Healthcare Data Breach causes

Network server incidents, most of which involved ransomware or malware, have overtaken phishing as the main cause of healthcare data breaches, although it should be noted that phishing emails are often the root cause of many ransomware attacks. There were 19 reported incidents involving PHI in email accounts, the majority of which were due to phishing or other forms of credential theft. One of the largest reported breaches in April was due to phishing and resulted in the exposure and potential theft of the PHI of 221,454 individuals.

April 2021 Healthcare Data Breaches - location of PHI

According to the Verizon 2021 Data Breach Investigations Report, phishing attacks increased globally by 11% in 2020 and ransomware attacks increased by 6%. The report shows insider breaches in healthcare have continued to fall and are now not even in the top three breach causes. In 2020, 61% of healthcare data breaches were due to external threat actors and 39% were caused by insiders.

April 2021 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 30 data breaches of 500 or more records reported by the provider and a further 13 reported by a vendor. Business associate data breaches continue to be reported at high levels. There were 24 breaches involving business associates, with 10 of those breaches reported by the covered entity. 9 branches were reported by health plans in April, with one breach affecting a health plan reported by its business associate.

States Affected by Healthcare Data Breaches

HIPAA-covered entities and business associates based in 28 states reported breaches of protected health information in April. California was the worst affected state with 7 breaches reported followed by Michigan and Texas with 5 breaches. Florida, New York, and Wisconsin had 4 breaches, and there were 3 reported breaches in Massachusetts and Ohio.

Wyoming, the least populated U.S. state, only had one reported breach, but it affected a quarter of state residents.

State No. Reported Data Breaches
California 7
Michigan and Texas 5
Florida, New York, & Wisconsin 4
Massachusetts & Ohio 3
Georgia, Illinois, Minnesota, Missouri, New Mexico, Pennsylvania, and Vermont 2
Alabama, Arkansas, Colorado, Kansas, Maryland, Montana, North Carolina, New Hampshire, New Jersey, Oregon, Tennessee, Virginia, & Wyoming 1

HIPAA Enforcement Activity in April 2021

It has been a busy year of HIPAA enforcement by the HHS’ Office for Civil Rights with 6 financial penalties imposed to resolve violations of the HIPAA Rules; however, there were no new settlements or civil monetary penalties announced in April, nor any enforcement actions by state Attorneys General.

 

The post April 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

140,000 SEIU 775 Benefits Group Members’ PHI Potentially Compromised

Posted by HIPAA Journal

SEIU 775 Benefits Group in Washington has notified approximately 140,000 of its members that some of their protected health information has been exposed. Around April 4, 2020, SEIU 775 Benefits Group’s IT team detected anomalous activity within the group’s data systems, including the apparent deletion of certain data files.

Third party digital forensics experts were engaged to assist with the investigation and confirmed that systems had been accessed by an unauthorized individual who deleted certain files that contained personally identifiable and protected health information. The forensics experts found no evidence to indicate any protected health information was downloaded or viewed and no reports have been received that suggest there has been any misuse of PHI.

The types of information potentially accessed was limited to names, addresses, and Social Security numbers, with health plan eligibility or enrollment information also potentially compromised. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll for 12 months.

Woodholme Gastroenterology Associates Breach Impacts 50,000 Patients

Woodholme Gastroenterology Associates in Baltimore, MD has discovered an unauthorized individual gained access to its systems and exfiltrated files that included patients’ protected health information on February 25, 2021.

The security breach was detected on March 1, 2021 and steps were immediately taken to prevent any further unauthorized access. A comprehensive review of the files that were exfiltrated or potentially accessed revealed they contained patients’ names, addresses, email addresses, dates of birth, patient ID numbers, diagnoses and/or treatment information. A limited number of Social Security numbers, driver’s license numbers, and health insurance information was also potentially compromised.

Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security number or driver’s license number was exposed. The HHS’ Office for Civil Rights breach portal indicates up to 50,000 patients have been affected.

Employee of Vitality Senior Living Charged with Identity Theft

A certified nursing assistant formerly employed by Vitality Senior Living in Arlington, VA has been charged with stealing the identities of 6 residents under her care.

In April, the woman allegedly admitted to the executive director that she had fraudulently cashed a $1,200 check from one of the residents. The woman was terminated and law enforcement was notified. The victim reported the matter to the police and said 6 blank checks had been stolen from his checkbook and two had been cashed. The victim also said several fraudulent charges had been made against his debit card.

The suspect’s name had been written on one of the cashed checks and the other had her brother’s name, who was also employed at Vitality Senior Living but was not charged in relation to the incident. The police found photographs of the victim’s driver’s license and debit cards on the suspect’s phone along with evidence that a further 5 residents had been targeted, three of whom had been defrauded. The police also found evidence that the woman had tried to file fraudulent unemployment claims and tax returns for individuals whose identities could not be verified.

The woman is due to appear in court on May 25, 2021 on more than dozen identity theft charges.

The post 140,000 SEIU 775 Benefits Group Members’ PHI Potentially Compromised appeared first on HIPAA Journal.

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

Posted by HIPAA Journal

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data.

In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic.

To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR.

2020 saw an 11% increase in phishing attacks, with cases of misrepresentation such as email impersonation attacks at 15 times the level of 2019. There was a 6% increase in ransomware attacks, with 10% of all data breaches in 2020 involving the use of ransomware – Twice the level of the previous year.

Across all industry sectors, phishing was the main cause of data breaches and was involved in 36% of incidents. The researchers attributed the increase in phishing attacks to the pandemic, with COVID-19 and other related pandemic lures extensively used in targeted attacks on at-home workers. While phishing attacks and the use of stolen credentials are linked, the researchers found attacks involving stolen credentials were similar to the level of the previous year and were involved in 25% of breaches. Exploitation of vulnerabilities was also common, but in most cases it was not new vulnerabilities being exploited but vulnerabilities for which patches have been available for several months or years.

The increase in remote working forced businesses to move many of their business functions to the cloud and securing those cloud resources proved to be a challenge. Attacks on web applications accounted for 39% of all data breaches, far higher than the previous year. Attacks on external cloud assets were much more common than attacks on on-premises assets.

61% of data breaches involved credential theft, which is consistent with previous data breach investigation reports and 85% of data breaches involved a human element. In the majority of cases (80%), data breaches were discovered by a third party rather than the breached entity.

There were considerable variations in attacks and data breaches across the 12 different industry verticals represented in the report. In healthcare, human error continued to be the main cause of data breaches, as has been the case for the past several years. The most common cause of data breaches in misdelivery of paper and electronic documents (36%), but this was far higher in the financial sector (55%). In public administration, the main cause of data breaches was social engineering, such as phishing attacks to obtain credentials.

Healthcare Data Breaches in 2020. Source: Verizon 2021 Data Breach Investigations Report

Verizon analyzed 655 healthcare security incidents, which included 472 data breaches. 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks. For the second consecutive year, incidents involving malicious insiders have fallen out of the top three attack types. While it is certainly good news that the number of malicious insider incidents is falling, that does not mean that these incidents are no longer occurring. It could indicate malicious insiders are able to cover their tracks much better. Attacks by external threat actors significantly increased, with healthcare industry cyberattacks commonly involving the use of ransomware. 61% of incidents were the work of external threat actors and 39% were internal data breaches.

Interestingly, considering the value of medical data on the black market, medical data was not the most commonly breached data type. Medical data was breached in 55% of data breaches, with personal data breached in 66% of incidents.  32% of breached involved the theft of credentials. Verizon suggests that could be due to the opportunistic nature of attacks by external threat actors. “With the increase of External actor breaches, it may simply be that the data taken is more opportunistic in nature. If controls, for instance, are more stringent on Medical data, an attacker may only be able to access Personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.

Breach detection has been steadily improving since 2016, when the majority of data breaches took months or more to identify. The majority of data breaches are now being discovered in days or less, although most commonly not by the breached entity.  80% of data breaches were identified by a third party.

The cost of a data breach is now estimated to be $21,659 on average, with 95% of data breaches having a financial impact of between $826 and $653,587.

The post Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall appeared first on HIPAA Journal.