Latest HIPAA News

Summary of Healthcare Data Breaches in December 2017

There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.

 

December 2017 Healthcare Data Breaches

 

Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.

 

Records Exposed in December 2017 Healthcare Data Breaches

 

December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.

 

December 2017 Healthcare Data Breaches by Covered Entity Type

Causes of Healthcare Data Breaches in December 2017

As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.

 

December 2017 healthcare data breaches by incident type

 

While hacking incidents usually result in the greatest number of records being exposed/stolen, this month saw a major increase in records exposed due to the theft of portable electronic devices. The theft of devices containing PHI – and paper records – resulted in 122,921 patients’ protected health information being exposed. The mean number of records exposed in theft incidents was 20,487 and the median was 15,857 – Both higher than any other cause of data breach.

 

Causes of Healthcare Data Breaches (Dec 2017)

 

Records Exposed by Breach Type (Dec 2017)

 

Network server incidents were the most numerous in December with 12 incidents, although there were 9 incidents involving paper records, showing that while healthcare organizations must ensure appropriate technological defenses are in place to protect electronic data, physical security is also essential to ensure paper records are secured.

 

Location of Breached PHI (Dec 2017)

 

10 Largest Healthcare Data Breaches in December 2017

In December, there were 9 data breaches that impacted more than 10,000 individuals reported to the Office for Civil Rights by HIPAA covered entities. In contrast to past months when hacking incidents dominated the top ten breach list, there was an even spread between hacking incidents, unauthorized access/disclosures, and theft of healthcare records and electronic devices.

The largest data breach reported in December affected Oklahoma Department of Human Services. However, this was not a recent data breach. The breach occurred in April 2016, but a breach report was not submitted to the Office for Civil Rights at the time of discovery. It took 18 months after the 60-day deadline for the breach to be reported.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois Healthcare Provider 22000 Loss
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure

December 2017 Healthcare Data Breaches by State

California experienced the most healthcare data breaches in December with 5 reported incidents, followed by Michigan with 4 data breaches.

Eight states experienced two data breaches each – Florida, Illinois, Minnesota, New England, Nevada, New York, Philadelphia and Texas.

13 states each had one reported breach: Colorado, Georgia, Iowa, Indiana, Massachusetts, Missouri, New Jersey, North Carolina, Ohio, Oklahoma, Oregon, Tennessee, and West Virginia.

Data source: Department of Health and Human Services’ Office for Civil Rights.

The post Summary of Healthcare Data Breaches in December 2017 appeared first on HIPAA Journal.

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records.

CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit.

CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee is hurting its business. CIOX Health wants the HHS to reverse the changes made to HIPAA in 2013 and 2016 with respect to how much can be charged and the provision of copies of any type of medical information.

While the flat fee of $6.50 is the maximum that can be charged, it should be noted that the maximum fee only applies if the healthcare provider or company chooses that option. HIPAA does not prevent healthcare organizations from charging more. If they choose not to charge a flat fee, they are permitted to charge patients “actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The HHS confirmed this in May 2016 in response to questions asked via its web portal.

Tremendous Financial Burdens on Healthcare Providers

In the lawsuit, CIOX Health says, “HHS’s continued application and enforcement of these rules impose tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical records industry that services them.”

These changes to HIPAA Rules “threaten to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss.”

The changes to the types of health information that must be provided on request now includes medical information in any form whatsoever, including electronic medical records in EHR systems, but also paper records and films that have been transferred to third parties.

In the case of electronic records, they can be located in several different virtual locations, while paper records and films may be stored in several different physical locations. Providing copies of complete record sets requires staff to be sent to each of those locations to retrieve the records, and even accessing multiple virtual locations is a time consuming and costly process. Records must also be verified and compiled, which all takes time.

CIOX Health serves more than 16,000 physician practices and processes tens of millions of requests for copies of medical records every year. The restrictions on charges has potentially hurt its business, according to the lawsuit.

This is not the only legal action that CIOX Health is involved in which is related to providing patients with copies of their medical records. CIOX is the co-defendant in a November 2017 lawsuit that claims more than 60 Indiana hospitals have been failing to provide copies of medical records to patients within 3 days, as required by the HITECH Act, even though they accepted payments and claimed that they were meeting HITECT Act requirements. The defendants are also alleged to have overcharged patients for copies of medical records.

The post HHS Sued by CIOX Health Over Unlawful HIPAA Regulations appeared first on HIPAA Journal.

Indiana Health System Pays $55K Ransom to Recover Files

A ransomware attack on Greenfield, Indiana-based Hancock Health on Thursday forced staff at the hospital to switch to pen and paper to record patient health information, while IT staff attempted to block the attack and regain access to encrypted files.

The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run slowly, with ransom notes appearing on screens indicating files had been encrypted. The IT team responded rapidly and started shutting down the network to limit the extent of the attack and a third-party incident response firm was called upon to help mitigate the attack.

An attack such as this has potential to cause major disruption to patient services, although Hancock Health said patient services were unaffected and appointments and operations continued as normal.

An analysis of the attack uncovered no evidence to suggest any patient health information was stolen by the attacker(s). The purpose of the attack was solely to cause disruption and lock files to force the hospital to pay a ransom to recover its files.

According to a report in the Greenfield Reporter, the attack involved a variant of ransomware called SamSam. The ransomware variant has been used in numerous attacks on healthcare organizations in the United States over the past 12 months. The unknown attacker(s) demanded a payment of 4 Bitcoin to supply the keys to unlock the encryption.

As required by HIPAA, Hancock Health had performed backups and no data would have been lost as a result of the attack; however, the process of recovering files from backups takes a considerable amount of time. The hospital would not have had access to files and information systems for several days – potentially even weeks – if backups were used to recover data. On Saturday, the decision was taken to pay the ransom.

The decision to pay the ransom was not taken lightly. While patient services were not affected, restoring files from backups would almost certainly have impacted patients and paying the ransom was seen to be the best option to avoid disruption. The keys to unlock the encryption were supplied within two hours of the ransom being paid and the network was brought back online on Sunday.

Typically, these attacks occur as a result of employees responding to phishing emails or visiting malicious websites, although Hancock Health says this attack was not caused by an employee responding to a phishing email.

The attack was sophisticated. “This was not a 15-year-old kid sitting in his mother’s basement,” said Hancock Health CEO Steve Long.

Hancock Health has now implemented software that can detect atypical network activity indicative of an intrusion or ransomware attack, which will allow rapid action to be taken to block, and limit the severity, of any further attacks. Hancock Health is continuing to work with national law enforcement to learn more about the incident.

The post Indiana Health System Pays $55K Ransom to Recover Files appeared first on HIPAA Journal.

Achieving HIPAA Compliant File Sharing In and Outside the Cloud

HIPAA compliant file sharing consists of more than selecting the right technology to ensure the security, integrity and confidentiality of PHI at rest or in transit. Indeed, you could implement the most HIPAA compliant file sharing technology available and still be a long way short of achieving HIPAA compliance.

It is not the technology that is at fault. Many Covered Entities and Business Associates fail to configure the technology properly or train employees how to use the technology in compliance with HIPAA. According to a recent IBM X-Force Threat Intelligence Report, 46% of data breaches in the healthcare industry are attributable to “inadvertent actors”.

Of the remaining 54% of data breaches in the healthcare industry, 29% are attributable to “outsiders”, while the remaining 25% are the work of “malicious insiders”. Therefore, if a Covered Entity implements HIPAA compliant file sharing technology, but fails to configure it properly, train employees how to use it compliantly, or introduce mechanisms to monitor access to PHI, it may only be 29% of the way towards achieving HIPAA compliance.

Understanding the Risks to PHI when Sharing Data

In order to fully understand the risks to PHI when sharing data, it is important to conduct a thorough risk assessment detailing how PHI is created, used, stored and shared – and what happens to the data once it has been shared. When the risk assessment is completed, it is necessary to conduct a risk analysis to identify vulnerabilities and weaknesses that could result in the unauthorized disclosure of PHI.

Part of the risk analysis should concern what happens to data shared with Business Associates. Business Associates should conduct their own risk assessments and risk analyses, and it is a HIPAA Security Officer´s duty to conduct due diligence on any Business Associate data is shared with, in order to ensure their file sharing procedures are also HIPAA compliant.

HIPAA Compliant File Sharing Exists Outside the Cloud

Most articles relating to file sharing and HIPAA compliance focus on the technology available to share files securely in the cloud. Although these articles provide valuable information about one specific area of sharing data, they do not address the subject of HIPAA compliant file sharing in its entirety – for example, when data is shared within a private network or in physical format.

As well as evaluating cloud-based technology for HIPAA compliant file sharing, HIPAA Security Officers should also consider access controls to files and folders stored on private networks and access logs to monitor when PHI is accessed – both online and in physical format. Done effectively, this should help prevent the #1 cause of HIPAA security breaches – employee snooping.

Explaining File Sharing and HIPAA Compliance to Employees

Employee snooping – viewing the healthcare records of family, friends, colleagues or personalities without authorization – may not result in headline data breaches, but it is a HIPAA violation – and a common one at that. However, without being told it is a violation, many employees would consider snooping no more than a misdemeanor with inquisitive intent.

Explaining that snooping is a HIPAA violation punishable by sanctions is a good foundation for explaining file sharing and HIPAA compliance to employees. It will help them better understand the seriousness of unauthorized disclosures of PHI and make them more careful about taking shortcuts “to get the job done” – a leading cause of data breaches in the healthcare industry attributable to “inadvertent actors”.

Train, Monitor, Sanction when Necessary, then Review

Whenever new HIPAA-related technology is introduced or working practices are changed, it is essential employees are provided with adequate training on the new technology or working practices. By using employee HIPAA training sessions to reinforce the message about file sharing and HIPAA compliance, the message will likely be better absorbed.

If the Covered Entity is able to support employee training with mechanisms to monitor access to PHI, and the enforcement of sanctions when necessary, the likelihood is “malicious insiders” will likely think twice before attempting to access PHI without authorization. Thereafter, HIPAA Security Officers should review policies and procedures to assess whether any further adjustments need to be made in order to ensure HIPAA compliant file sharing.

The post Achieving HIPAA Compliant File Sharing In and Outside the Cloud appeared first on HIPAA Journal.

Kathryn Marchesini Appointed Chief Privacy Officer at ONC

The Office of the National Coordinator for Health IT (ONC) has a new chief privacy officer – Kathryn Marchesini, JD.

The appointment was announced this week by National Coordinator Donald Rucker, M.D. Marchesini will replace Acting Chief Privacy Officer Deven McGraw, who left the position this fall.

The HITECH Act requires a Chief Privacy Officer to be appointed by the ONC. The CPO is required to advise the National Coordinator on privacy, security, and data stewardship of electronic health information and to coordinate with other federal agencies.

Following the departure of McGraw, it was unclear whether the position of CPO would be filled at the ONC. The ONC has had major cuts to its budget, and in an effort to become a much leaner organization, funding for the Office of the Chief Privacy Officer was due to be withdrawn in 2018. However, the decision has been taken to appoint a successor to McGraw.

There are few individuals better qualified to take on the role of CPO. Katheryn Marchesini has extensive experience in the field of data privacy and security, having spent seven years at the Department of Health and Human Services. During her time at the HHS Marchesini assisted with the creation of new federal policies, guidance for HIPAA covered entities on privacy and security, and many HHS health IT privacy initiatives.

Most recently, Marchesini served as senior health information technology and privacy advisor at the HHS’ Office for Civil Rights and as senior advisor on privacy and precision medicine at the ONC. Marchesini also served as Division Director for Privacy at the ONC between 2014 and 2016, Acting Chief Privacy Officer at the ONC for four months in 2014, and Senior Policy Analyst and Privacy Team Leader at the ONC between October 2012 and June 2014.

Prior to joining the HHS, Marchesini worked as a legal associate with two law firms, as a management analyst at Deloitte Consulting, and economics assistant at FERC.

Announcing the appointment, Donald Rucker said, “[Marhesini] brings to her new roles a wealth of experience as a Senior Advisor and Deputy Director for Privacy at ONC where she advised staff and stakeholders about privacy and security implications surrounding electronic health information, technology, and health research.” The appointment has also been welcomed by Deven McGraw.

The post Kathryn Marchesini Appointed Chief Privacy Officer at ONC appeared first on HIPAA Journal.

Data Breach Notification Bill Introduced in North Carolina

A new data breach notification bill has been introduced in North Carolina in response to the rise in breaches of personal information in 2017. Last year, more than 5.3 million residents of North Carolina were impacted by data breaches.

The rise in data breaches prompted state Attorney General Josh Stein and state Representative Jason Saine to introduce the Act to Strengthen Identity Theft Protections. If passed, North Carolina will have some of the toughest data breach notification laws in the United States.

The Act, introduced on January 8, 2018, is intended to strengthen protections for state residents. The Act updates the definitions of personal information and security breaches, and decreases the allowable time to notify state residents of a breach of their personal information.

The definition of personal information has been expanded to include insurance account numbers and medical information. It is currently unclear whether the new law will apply to organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) or if they will be deemed to be in compliance with state laws if they comply with HIPAA.

The definition of a breach has been updated to include any breach of personal information, including ransomware attacks, even if the personal information of state residents is only encrypted by ransomware and no data theft has occurred.

In the event of a breach of personal information, the Act requires companies to issue notifications to breach victims within 15 days of the discovery of a breach. Faster breach notifications will allow consumers to take prompt action to secure their accounts and limit potential harm from the exposure of their personal information.

Breaches must also be reported to the Attorney General’s office. This will empower the attorney general to determine the risk of harm from the breach, rather than leaving it to the breached entity to make that determination.

The Act also requires businesses to implement and maintain reasonable security protections to keep data secure. The nature of those protections should be appropriate to the sensitivity of the data concerned. The failure to implement sufficient controls would be deemed a violation of the Unfair and Deceptive Trade Practices Act, and each person whose data has been exposed would represent “a separate and distinct violation of the law.”

North Carolina residents must also be allowed to place a credit freeze on their accounts free of charge and the Act requires credit reporting agencies “to put in place a simple, one-stop shop for freezing and unfreezing a consumer’s credit reports.” This would allow consumers to quickly and easily freeze and unfreeze credit across all major consumer reporting agencies.

A new provision has also been included to cover credit reference and consumer reporting agencies. If those agencies experience a breach they will be required to provide five years of free credit monitoring services to consumers.

A summary of the Act is available here.

Image source: By Darwinek [CC BY-SA 3.0] via Wikimedia Commons

The post Data Breach Notification Bill Introduced in North Carolina appeared first on HIPAA Journal.

The HIPAA Password Requirements and the Best Way to Comply With Them

The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements is with two factor authentication.

The HIPAA password requirements can be found in the Administrative Safeguards of the HIPPA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing and safeguarding passwords”.

Experts Disagree on Best HIPAA Compliance Password Policy

Although all security experts agree the need for a strong password (the longest possible, including numbers, special characters, and a mixture of upper and lower case letters), many disagree on the best HIPAA compliance password policy, the frequency at which passwords should be changed (if at all) and the best way of safeguarding them.

Whereas some experts claim the best HIPAA compliance password policy involves changing passwords every sixty or ninety days, other experts say the effort is a waste of time, as a competent hacker should be able to crack any password within ten minutes using a combination of technical, sociological, or subversive means.

There is more agreement between experts when it comes to safeguarding passwords. In respect of a best practice for a HIPAA compliance password policy, a large majority recommend the use of password management tolls. Although these tools can also be hacked, the software saves passwords in encrypted format, making them unusable by hackers.

The HIPAA Password Requirements are Addressable Requirements

One important point to mention when discussing the HIPAA password requirements is that they are “addressable” requirements. This does not mean they can be put off to another date. It means Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.”

In the context of the Administrative Safeguards, the purpose of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if an alternative security measure can be implemented that accomplishes the same purpose as creating, changing and safeguarding passwords, the Covered Entity is in compliance with HIPAA.

Two-factor authentication fulfills this requirement perfectly. Whether by SMS notification or push notification, a person using a username and password to log into a database containing PHI also has to insert a PIN code to confirm their identity. As a unique PIN code is issued with each log in attempt, a compromised password alone will not give a hacker access to the secure database.

Two Factor Authentication is Already Used by Many Medical Facilities

Interestingly, two factor authentication is already used by many medical facilities, but not to safeguard the confidentiality, integrity and security of PH. Instead it is used by medical facilities accepting credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by others to comply with the DEA´s Electronic Prescription for Controlled Substances Rules.

Healthcare IT professionals will be quick to stress that two factor authentication can slow workflows, but recent advances in the software allow for LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software only transmits PIN codes (and not PHI) the software is HIPAA compliant, and it is a far easier solution for compliance with the HIPAA Password requirements than frequent changes of passwords. Effectively, Covered Entities never need change a password again.

The only thing Covered Entities have to remember before implementing two factor authentication to protect PHI is that, because the HIPAA Password requirements are addressable safeguards, the reasons for implementing the alternative solution have to be documented. This will satisfy the HIPAA requirements for conducting a risk analysis and auditors if the Covered Entity is chosen to be investigated as part of HHS´ HIPAA Audit Program.

The post The HIPAA Password Requirements and the Best Way to Comply With Them appeared first on HIPAA Journal.

The Top HIPAA Threats Are Likely Not What You Think

Many articles listing the Top HIPAA Threats pretty much follow a similar theme. Protect devices against theft, protect data against cybercriminals, and protect yourself against unauthorized third party disclosures by signing a Business Associate Agreement. Unfortunately these articles are way off the mark.

Inasmuch as the recommendations are sensible, and indeed should be followed, they fail to address the top HIPAA threats – employees. According to the recently-published IBM X-Force Threat Intelligence Report, 71% of recorded data breaches in the healthcare industry are attributable to employee actions. Employees responsible for data breaches are divided into two categories – “malicious Insiders” (25%) and “inadvertent actors” (46%).

A Quarter of Healthcare Data Breaches Attributable to Malicious Insiders?

Although IBM´s Intelligence Report focuses on the number of breaches – rather than the number of records breached – the percentage of data breaches attributed to malicious insiders appears high. However, it is not the case that a quarter of the medical profession is stealing Protected Health Information for personal gain. A closer inspection of the data reveals the “malicious insiders” category includes employees snooping on the medical records of friends, colleagues and celebrity patients.

Snooping was identified as the largest single cause of data breaches in the healthcare industry in a 2013 study conducted by Veriphyr Identity and Access Intelligence. As snooping constitutes an unauthorized disclosure of Protected Health Information, it is classified as a violation of HIPAA and therefore – by the number of violations alone – is one of the top HIPAA threats Covered Entities should be aware of. It is certainly a threat OCR would expect a Covered Entity to address in a HIPAA risk assessment.

Other Data Breaches Attributable to Malicious Insiders Tend to Attract Headlines

Whereas snooping can be the biggest cause of employee HIPAA violations by number, the biggest cause of employee HIPAA violations by records breached is insider data theft. In a recent high-profile case, a secretary employed by the Jackson Health System in Florida was charged with accessing more than 24,000 computerized patient records and selling the data to criminals, who subsequently used it to file fraudulent tax returns with the Internal Revenue Service.

A spate of high-volume data breaches around the same time prompted the HHS´ Office for Civil Rights to issue a reminder to Covered Entities to take action to prevent insider data theft. Unfortunately many Covered Entities appear not to have responded to the reminder. A survey conducted in late 2016 revealed half of healthcare IT professionals were more concerned about insider data theft than external data theft, but were not given the resources to deal with the threat.

Are Inadvertent Actors Really More of a HIPAA Threat than Cybercriminals?

According to the basic data it would appear so. However, the category of “inadvertent actors” includes victims of phishing attacks and IT professionals who fail to configure their security mechanisms properly; so it may be more accurate to rename this category “employees who inadvertently invited cybercriminals to steal data”. Nonetheless, the percentage of reported data breaches attributable to inadvertent actors is nearly twice that of external hacks.

This would imply another of the top HIPAA threats is a lack of employee awareness. Phishing is a massive threat to HIPAA compliance, but it is one that can mitigated with phishing simulation training. Similarly, errors made by IT security can be reduced by implementing procedures to review the configuration of security mechanisms on a regular basis – which should be part of an annual risk assessment in any case. Basically, data breaches due to inadvertent actors are mostly avoidable.

The Top HIPAA Threats and How to Defend Against Them

At HIPAA Journal we strongly recommend Covered Entities encrypt data, implement two-factor authentication and conduct due diligence on Business Associates. These practices – and others provided by HIPAA threat-style articles- will help defend against some HIPAA threats, but not the top HIPAA threats. In order to defend against the top HIPAA threats of snooping, insider data theft and a lack of employee awareness, Covered Entities need to:

  • Implement strong policies relating to employee conduct and enforce them with an equally strong sanctions policy.
  • Implement effective access controls that monitor who accesses PHI when and where, and what happens to it afterwards.
  • Implement a comprehensive HIPAA training program to raise employee awareness – particularly in the area of Internet security.

More than anything, Covered Entities need to allocate more resources to eliminating data breaches attributable to employee actions. If the data provided in the IBM X-Force Threat Intelligence Report is taken at face value, Covered Entities should allocate three times as many resources to defending against the top HIPAA threats that come from within than they allocate to external threats.

The post The Top HIPAA Threats Are Likely Not What You Think appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches.

2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen.

2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations fared in 2017? Was 2017 another record-breaking year?

Healthcare Data Breaches Increased in 2017

The mega data breaches of 2015 were fortunately not repeated in 2017, and the decline in massive data breaches continued in 2017.

Last year, there were three breaches reported that impacted more than one million individuals and 14 breaches of more than 100,000 records.

In 2017, there was only one reported data breach that impacted more than 500,000 people and 8 breaches that impacted 100,000 or more individuals. The final total for individuals impacted by breaches last year was 14,679,461 – considerably less than the 112,107,579 total the previous year.

The final figures for 2017 cannot yet be calculated as there is still time for breaches to be reported to OCR. The HIPAA Breach Notification Rules allows covered entities up to 60 days to report data breaches of more than 500 records, so the final figures for 2017 will not be known until March 1, 2018. However, based on current data, 2017 has been a reasonably good year in terms of the number of exposed healthcare records. The current total stands at 3,286,498 records – A 347% reduction in breached records year on year.

While it is certainly good news that the severity of breaches has reduced, that only tells part of the story. Breaches of hundreds of thousands of records have reduced, but breaches of more than 10,000 records have remained fairly constant year over year. In 2015, there were 52 breaches of 10,000 or more records. That figure jumped to 82 in 2016. There were 78 healthcare data breaches in 2017 involving more than 10,000 records.

The bad news is there has been a significant rise in the number of healthcare data breaches in 2017.  As of January 4, 2017, there have been 342 healthcare security breaches listed on the OCR breach portal for 2017. It is likely more incidents will be added in the next few days.

The final total for 2015 was 270 breaches, and there were 327 breaches reported in 2016. The severity of healthcare security incidents may have fallen, but the number of incidents continues to rise year on year.

 

reported healthcare data breaches in 2017

 

Unfortunately, there is little evidence to suggest that the annual rise in healthcare data breaches will stop in 2018. Many cybersecurity firms have made predictions for the coming year, and they are united in the view that healthcare data breaches will continue to increase.

The 20 Largest Healthcare Breaches of 2017

The list of the 20 largest healthcare data breaches of 2017 is listed below.

Position Breached Entity Entity Type Records Exposed Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Airway Oxygen, Inc. Healthcare Provider 500,000 Hacking/IT Incident
3 Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
4 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
5 Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
6 Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
7 Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
8 McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
9 Harrisburg Gastroenterology Ltd Healthcare Provider 93,323 Hacking/IT Incident
10 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
11 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
12 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
13 Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
14 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
15 Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
16 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
17 Enterprise Services LLC Business Associate 56,075 Unauthorized Access/Disclosure
18 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
19 Network Health Health Plan 51,232 Hacking/IT Incident
20 Oklahoma Department of Human Services Health Plan 47,000 Hacking/IT Incident

The Largest Healthcare Data Breaches of 2017 Were Due to Hacking

One thing is abundantly clear from the list of the largest healthcare data breaches of 2017 is hacking/IT incidents affect more individuals than any other breach type. Hacking/IT incidents accounted for all but three of the largest healthcare data breaches of 2017.

In 2016, hacking incidents only accounted for 11 out of the top 20 data breaches and 12 of the top 20 in 2015. Hacking incidents therefore appear to be rising.

 

healthcare data breaches in 2017 (hacking)

 

The rise in hacking incidents can partly be explained by the increase in ransomware attacks on healthcare providers in 2017. Healthcare organizations are also getting better at discovering breaches.

Other Major Causes of Healthcare Data Breaches in 2017

Unauthorized access/disclosures continue to be a leading cause of healthcare data breaches, although there was a slight fall in numbers of these incidents in 2017. That decrease is offset by an increase in incidents involving the improper disposal of physical records and electronic devices used to store ePHI.

 

healthcare data breaches of 2017 (Unauthorized access/disclosures)

 

The use of encryption for stored data is more widespread, with many healthcare organizations having implemented encryption on all portable storage devices and laptops, which has helped to reduce the exposure of ePHI when electronic devices are stolen.

 

Healthcare Data Breaches of 2017 (loss/theft)

Minimizing the Risk of Healthcare Data Breaches

This year saw OCR publish the preliminary findings of its HIPAA compliance audits on HIPAA-covered entities. The audits revealed there is still widespread non-compliance with HIPAA Rules.

One of the biggest problems was not a lack of cybersecurity defenses, but the failure to conduct an enterprise-wide risk analysis.

Even with several layers of security, vulnerabilities are still likely to exist. Unless a comprehensive risk analysis is performed to identify security gaps, and those gaps are addressed, it will only be a matter of time before they are exploited.

Complying with HIPAA Rules will not prevent all data breaches, but it will ensure healthcare organizations achieve at least the minimum standard for data security, which will prevent the majority of healthcare data breaches.

There is a tendency to invest cybersecurity budgets in new technology, but it is important not to forget the basics. Many healthcare data breaches in 2017 could have been prevented had patches been applied promptly, if secure passwords had been chosen, and if cloud storage services and databases had been configured correctly. Many data breaches were caused as a result of employees leaving unencrypted laptops in risky locations – in unattended vehicles for instance.

Phishing remains one of the main ways that malicious actors gain access to protected health information, yet security awareness training is still not being provided frequently. As a result, employees are continuing to fall for phishing and social engineering scams. Technological solutions to block phishing emails are important, but healthcare organizations must also educate employees about the risks, teach them how to recognize scams, and reinforce training regularly. Only then will organizations be able to reduce the risk from phishing to an acceptable and appropriate level.

Insiders continue to be a major threat in healthcare. The value of data on the black market is high, and cash-strapped healthcare employees can be tempted to steal data to sell to identity thieves. Healthcare organizations can hammer the message home that data theft will be discovered and reported to law enforcement, but it is the responsibility of healthcare organizations to ensure policies and technologies are implemented to ensure that the unauthorized accessing of records – theft or snooping – is identified rapidly.  That means frequent audits of access logs and the use of automated monitoring solutions and user behavior analytics.

2017 was a bad year for ransomware attacks and extortion attempts on healthcare organizations. There is no sign that these attacks will slow in 2018, and if anything, they are likely to increase. Ensuring data is backed up will allow organizations to recover files in the event of an attack without having to pay a ransom. The rise in sabotage attacks – NotPetya for example – mean data loss is a real possibility if backups are not created.

By getting the basics right and investing in new technologies, it will be possible for the year on year rise in data breaches to be stopped. But until healthcare organizations get the basics right and comply with HIPAA Rules, healthcare data breaches are likely to continue to rise.

The post Largest Healthcare Data Breaches of 2017 appeared first on HIPAA Journal.