Will Hacking Incidents, Other Breaches Continue to Rise During COVID-19 Pandemic?
The total number of health data breaches – and individuals affected – on the 2020 tally has more than doubled in recent weeks.
A snapshot Monday of the Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows a total of 105 breaches affecting more than 2.5 million individuals have been reported and added to the tally so far in 2020.
When Information Security Media Group offered its most recent previous breach update on Feb. 19, the tally listed just 38 incidents impacting a total 1.1 million individuals as being reported in 2020.
Also commonly called the “wall of shame,” the website lists health data breaches impacting 500 or more individuals.
The federal website shows a total of 3,170 major health data breaches impacting more than 235.3 million individuals reported since late 2009, when the HIPAA Breach Notification Rule went into effect.
In 2020 so far, hacking/IT incidents are the most common type of breach reported. As of Monday, 72 such incidents had been added to the tally so far this year, and they affected a total of nearly 1.8 million individuals. Some 43 of those breaches were reported as involving email, and those incidents impacted nearly 1.25 million individuals.
“I believe hacking will continue to dominate reported breaches,” says Tom Walsh, president of consulting firm tw-Security.
“From a criminal perspective, hacking has a high ‘return on investment.’ There are many easy-to-use hacking tools available. Hackers used to need a high skill set for being successful at hacking. These hacking tools are a game changer for a novice hacker.”
“The higher number of telecommuters means security and privacy mistakes will be made in the home environment.”
—Tom Walsh, tw-Security
And as healthcare providers across the country fight the COVID-19 pandemic, incidents involving phishing and other hacks – as well as mishaps and privacy breaches – will grow, Walsh predicts.
“The higher number of telecommuters means security and privacy mistakes will be made in the home environment,” he says. “Protected health information will be exported to unsecured USB drives; workstations will be shared by family members making confidential information readily available to those without a business need to know; home networks may not be secured, etc.”
Meanwhile, employees curious about who has the COVID-19 virus will snoop in electronic health records, he predicts. “Given the current crisis, there is a good chance that no one is closely examining the audit logs. These breaches may be detected later.”
Mistakes also will be made in the emergency department, he says. “The staff is exhausted. Some healthcare professionals have volunteered to help work in the ED,” he says. “They could be retired or worked in other healthcare departments or areas and may not know the standard procedures. Plus, things are rapidly changing as EDs prepare for the influx of patients and have set up makeshift tent hospitals. How is that addressed in department/hospital policy?”
Meanwhile, hackers are also stepping up their activities, Walsh notes. “They are using fake news sources, stories and maps … to dupe stressed people to make a mistake and open a door for them to get inside the network/system/application.”
Three of the largest breaches added to the federal tally in recent weeks involved hacking/IT incidents that each impacted more than 100,000 individuals.
One of those was an apparent ransomware attack on a business associate – Albany, N.Y.-based accounting firm, BST & Co. CPAs. The incident reported to HHS on Feb. 16 affected 170,000 individuals.
In a notification statement posted on its website, BST & Co. notes that it provides accounting and tax services to local clients, including the medical group, Community Care Physicians, P.C. (see Hacking of Accounting Firm Affects Medical Group).
In another large incident, Atlanta, Ga.-based healthcare system Aveanna Healthcare on Feb. 14 reported a breach involving the hacking of its email system that affected more than 166,000 individuals.
In a statement, Aveanna says it became aware on Aug. 24, 2019, of suspicious activity relating to a number of its employee email accounts. The investigation determined that an unknown intruder accessed certain employee email accounts between July 9, 2019 and August 24, 2019.
“On December 19, 2019, we determined that information for certain patients and employees may have been accessible within the email accounts involved in this event,” the statement notes.
Also added to the federal tally in recent weeks was a phishing incident reported on March 17 by San Diego, Calif.-based diabetic devices and services provider Tandem Diabetes Care that impacted nearly 141,000 individuals.
In a statement, the company says it learned on Jan. 17 that an unauthorized person gained access to a Tandem employee’s email account. “Through the investigation, we learned that some customers’ information may have been contained in one or more of the Tandem email accounts affected by the incident,” the statement says.
“The affected email accounts may have contained customer names, contact information, information related to those customers’ use of Tandem’s products or services, clinical data regarding their diabetes therapy, and in a few limited instances, Social Security numbers.”
Other Breach Causes
Six 2020 breaches involving lost or stolen unencrypted computing devices have been added to the official tally this year, affecting a combined total of more than 683,000 – most of those due to the theft of an unencrypted laptop from GridWorks, a former medical transportation vendor of Health Share of Oregon (see: Breach Report: Sometimes Encryption Still is Overlooked).
Also in 2020 so far, the federal tally shows 18 unauthorized access/disclosure breaches affecting nearly 62,000 individuals.