Ransomware Attacks and Incidents Involving Vendors Proliferate
Hacking incidents – including ransomware attacks – continue to be the most common type of health data breaches added to the federal tally this year. And the ongoing COVID-19 crisis will put healthcare organizations at heightened risk for such incidents in the months to come, some experts predict.
A snapshot on Thursday shows that 508 breaches affecting a total of nearly 22.3 million individuals have been added to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website so far in 2020, up from 444 breaches impacting about 21 million individuals as of Oct. 13. The website, commonly called the “wall of shame,” lists breaches affecting 500 or more individuals reported to HHS’ Office for Civil Rights.
Since 2009, some 3,574 breaches affecting more than 261 million individuals have been posted on the HHS site.
Of the breaches posted so far this year, 68% were reported as hacking/IT incidents; they affected a total of 20.3 million individuals, or 91% of the total number of individuals affected by all breaches added to the tally.
Some 192 of the breaches added – or 38% – involved business associates. Those affected 13.8 million individuals, or nearly 62% of the total of new victims.
But some large breaches known to involve a business associate relationship based, for instance, on public breach notifications or other statements, were not listed on the HHS site as having a business associate “present.”
For instance, an April ransomware attack on managed healthcare company Magellan Health, a business associate, is at the center of at least 10 breaches affecting a total of more than 1.5 million individuals.
“We still encounter organizations who do not have a formal process for verifying their business associates’ compliance levels,” notes Susan Lucci, a security consultant at tw-Security. “This should not be on the back burner any longer as the rise in reported business associate breaches should serve as a tangible reminder.”
Given the recent surge in data breaches, “there does not appear to be any slowdown in the business of cybercriminals whose intent is to make money,” she says. “And they are methodically finding vulnerabilities and exploit them for profit,” especially amid the pandemic.
The largest business associate incident added to the HHS tally this year is the May ransomware attack on fundraising software provider Blackbaud, which is at the center of about four dozen health data breach reports affecting a total of about 11 million individuals (see Blackbaud Expects Cyber Insurer Will Cover Most Attack Costs).
The largest of the Blackbaud-related breaches hit Michigan-based Trinity Health in September, affecting more than 3.3 million individuals.
Breaches involving vendors are “a constant problem, extending to both large enterprises and small organizations, based on the entity engaging third-party payment, security or other third parties to run critical parts of their infrastructure,” says Jim Van Dyke, CEO and founder of security firm Breach Clarity.
“Companies using third parties must invest more time and money in verifying the security of firms that use private customer data, and they can’t simply rely on vendors’ assurances that the personal data is safe from access by hackers. Testing and verification is everything.”
Meanwhile, as the COVID-19 crisis persists, the healthcare sector will remain at high risk for breaches, Lucci says.
That’s because individuals eager to learn more about the virus “may click on links that promise information or solutions such as free testing kits or alternative sources of income,” she says. “When these are not legitimate sites, it can be a source of introducing malware or viruses into your laptop or other device that, if connected to a hospital network, can wind up as ransomware or other infections.”
A recent research report by security vendor Zscaler found that so far in 2020, threat actors have been targeting healthcare with more encrypted malware attacks than any other sector.
“In times of unusual crisis such as COVID-19, the old criminal guise of referencing a pervasive emergency will be more effective,” Van Dyke says. This sets the stage for continued phishing and social engineering scams.
“So many people are in a state of constant alarm, and we’ve seen cybercriminals use this real crisis to create fake scenarios, and thus lure unwitting individuals into helping them either obtain access to data or commit ID crimes using the data,” he says.
“Expect this trend to continue until COVID-19 abates, and then to see the same pattern of scams reappear with the next humanitarian crisis.”