Ransomware Incidents Among Largest Breaches on Federal TallyAnalysis of Latest Health Data Breaches on the HHS OCR 'Wall of Shame'
Ransomware incidents are becoming a major cause of health data breaches affecting millions of individuals that have been reported so far in 2021, according to the latest additions to the federal tally.
As of Wednesday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows that the top 10 largest breaches posted to the tally so far in 2021 were all hacking/IT incidents.
Of those incidents, at least five - affecting a total of nearly 8 million individuals - were publicly disclosed as involving ransomware.
That includes one of the largest breaches added to the tally in recent days: an August ransomware incident reported by Indiana-based Eskenazi Health to HHS on Oct. 1 as a HIPAA breach affecting more than 1.5 million individuals.
"No doubt ransomware is on the rise," in healthcare, as well as in other sectors, says Jim Van Dyke, a senior vice president at security firm Sontiq, which analyzes and rates the severity of data breaches based on the type of information compromised.
"When hackers want to get paid for their activity, ransomware is an increasingly attractive option because they literally hold the breached entity’s records for ransom, threatening to both cripple their operations and create a flood of downstream identity theft and fraud to the individuals who had their various identity records exposed."
10 Largest Health Data Breaches in 2021, So Far
|Florida Healthy Kids Corp.
|20/20 Eye Care Network
|NEC Networks d/b/a CaptureRx
|The Kroger Co.
|St. Joseph's/Candler Health System*
|University Medical Center Southern Nevada *
|Practicefirst Medical Management Solutions*
Source: U.S. Department of Health and Human Services
Beyond those 10 largest data breaches posted so far this year, the tally also contains numerous other breaches added in recent weeks, and many of them involve hacking incidents, such as ransomware attacks.
For instance, on Oct. 8, a ransomware breach that was reported by Massachusetts-based ReproSource as affecting 350,000 individuals was posted to the tally.
And on Sept. 20, a May hacking incident involving malware reported by the Alaska Department of Health and Social Services as affecting 500,000 individuals was added to the tally.
Latest Tally Trends
As of Wednesday, the HHS Office for Civil Rights breach tally website shows that since 2009, some 4,296 breaches affecting a total of nearly 311 million individuals have been posted on the tally. Commonly called the "wall of shame," the HHS OCR website lists health data breaches affecting 500 or more individuals.
So far in 2021, 567 breaches affecting 38.5 million individuals have been posted on the HHS site.
Of those, 407 breaches were reported as hacking/IT incidents affecting nearly 36.3 million individuals, or about 94% of people affected by breaches posted on the HHS site so far in 2021.
Some 212 incidents affecting about 20.3 million individuals were reported as involving a business associates so far in 2021.
In fact, vendors have also been involved in some of the largest breaches added to the tally in recent weeks.
That includes at least 11 separate breach reports filed on Oct. 1 by Pennsylvania-based Professional Dental Alliance for its dental practice operations in several states involving an affiliated vendor's phishing incident, which affected a total of about 173,000 individuals.
Other Breaches in 2021
Of all 2021 breaches posted so far, 130 breaches affecting more than 1.94 million individuals were reported as unauthorized access/disclosure incidents.
While breaches involving loss or theft of unencrypted computing and storage devices dominated the wall of shame a few years ago, only 13 breaches affecting a total of about 88,000 individuals and involving lost or stolen unencrypted devices were posted so far this year.
Four improper disposal breaches affected nearly 190,000 individuals - more affected individuals than breaches that were reported as unencrypted device loss/theft incidents.
The largest of those incidents involving improper disposal of protected health information was reported in July by Maine-based HealthReach Community Health Centers as affecting more than 122,000 individuals.
So, what steps can other HIPAA-covered entities and their business associates take to avoid becoming the next ransomware victims with big health data breaches being added to the federal tally?
First, healthcare sector entities need to keep in mind that many of these attacks are evolving from ransomware that encrypts data-at-rest to exfiltration of data (phrase doesn't make sense to me), or both - with attackers holding data for ransom, some experts note.
While many organizations are improving their practices to be better prepared for potential ransomware attacks involving encryption of data, "it doesn’t matter how good your data backup and recovery procedures are. That doesn’t help in a data exfiltration," says Tom Walsh, president of privacy and security consultancy tw-Security.
Walsh suggests that organizations implement multifactor authentication "on as many applications and systems as possible."
At a minimum, MFA should be applied to email, system administrator or "super user" elevated privileges access, and remote access users, he says.
"While MFA is not required by HIPAA, the cyber insurance industry is driving MFA - taking it from a best practice to a reasonable expectation," he adds.
Walsh also says that entities should conduct penetration tests and address the "high findings" as quickly as possible, and they should conduct a cyberattack tabletop exercise. "You need to be ready," he says.
Organizations should instruct users not to save their user credentials when prompted to do so on the screen, Walsh adds.
"Rule of thumb: If it is easier for the users, it’s easier for the hackers too."
Could the spike in these healthcare sector cyberattacks, including ransomware incidents, have a silver lining?
"Ransomware has gotten much more attention from healthcare CEOs and boards in recent years," says Kate Borten, president of privacy and security consulting firm, The Marblehead Group.
"In fact, it many have been the wake-up call many senior leaders needed to recognize security as a priority," she says.
"This type of attack not only can have a financial and reputational impact on the target organization, but it can and has affected patient care, the core mission of providers."