Hacking Attacks, Business Associate Incidents Were Common
The federal tally of health data breaches shows that hacking attacks and incidents involving business associates dominated this year.
A snapshot on Wednesday of the Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows that 462 major health data breaches affecting a total of nearly 41 million individuals have been added to the tally so far this year.
Commonly called the “wall of shame,” the HHS website lists breaches affecting 500 or more individuals reported to comply with the HIPAA Breach Notification Rule.
Of those breaches posted so far in 2019:
- 272 were reported as hacking/IT incidents, affecting a total of nearly 36 million individuals, or about 88 percent of all impacted by breaches added to the tally this year;
- 136 were reported as “unauthorized access/disclosure” breaches, affecting a total of 4.6 million individuals, or about 11 percent;
- 30 breaches were reported as “loss” or “theft” of unencrypted computing devices, impacting about 266,000 individuals, or less than 1 percent;
- 108 breaches were reported as having a business associates “present.” Those BA breaches affected nearly 24.8 million individuals, or about 60 percent of the total impacted.
The largest of the breaches involving a BA was revealed in the spring by American Medical Collections Agency. It affected more than two dozen of its covered entity clients and more than 20 million individuals.
Many of the organizations affected by the collections agency breach filed their own breach reports. One of those former clients, Optum360, reported the breach affected 11.5 million individuals served by its customer, medical test laboratory Quest Diagnostics.
The breach reported by Optum360 is the single largest business associate-related breach listed on the federal tally since regulators began keeping track in 2009.
Meanwhile, in another major BA-related breach, a misconfigured webpage setting at Inmediata Health Group, a San Juan, Puerto Rico-based clearinghouse and cloud software services provider, exposed data on 1.6 million individuals.
So what should healthcare organizations do to avoid being added to the “wall of shame” in 2020 as a result of a BA breach?
“Although the HIPAA security and privacy rules have changed very little since they were written almost 20 years ago, HHS has made clear it expects organizations to do more these days in terms of vetting their business partners – both through mergers and acquisitions and with business associate relationships,” notes Kate Borten, president of privacy and security consulting firm The Marblehead Group.
“Simply asking a few perfunctory questions and getting signed BA agreements is no longer sufficient,” she says. “Large organizations have been reviewing their BAs’ security programs for years, but now midsize organizations need to do the same. This will be challenging for many providers who still struggle to maintain adequate security and privacy within their own facilities.”
Privacy attorney Kirk Nahra of the law firm WilmerHale notes that many healthcare organizations deal with hundreds of business associates. “So, it’s not surprising that we’re seeing so many BA breaches,” he says.
Customers should demand that a BA demonstrate it has built “a good security program” that addresses relevant risks.
Bigger Picture Trends
In the decade since HHS’ Office for Civil Rights began keeping a public tally of major breaches involving protected health information, 3,015 breaches have been posted on the HHS website, affecting a total of nearly 232 million individuals.
Some 859 of those were reported as hacking/IT incidents; they affected a combined total of 182 million individuals, or nearly 80 percent of all breach victims.
Since 2009, 634 incidents affecting a total of 64.5 million individuals were reported as having a BA “present.”
One of the biggest shifts in recent years is the impact of health data breaches involving lost or stolen unencrypted devices. In the early years of the tally, those incidents had been responsible for the majority of individuals affected by health data breaches. This year, however, such incidents have affected less than 1 percent of breach victims.
“If you combine hacking and unauthorized access – the [breach reporting] categories most often used for ransomware incidents – then you see the biggest trend and shift in breached data,” notes Susan Lucci, senior privacy and security consultant at tw-Security.
Among breaches recently added to the tally was an incident reported by White Plains, NY-based Ivy Rehab Network impacting 125,000 individuals stemming from a phishing attack.
In another recent addition to the tally, West Austin, Minnesota-based Southeastern Minnesota Oral & Maxillofacial Surgery reported a ransomware attack affected 80,000 individuals.
A Cause for Concern
The volume of breaches posted to the federal tally appears to be rising, “which should worry everyone” Lucci observes.
“The increase in business associate breaches should serve as a solemn reminder to all covered entities to vet your BAs carefully. Ask for evidence of compliance and ensure their workforce education includes robust training on phishing and ransomware,” she says.
“Ransomware attacks are sophisticated and evolving. People can easily make a mistake and click on an email they think is from a legitimate source and shut down an entire organization.”