The hundreds of significant health data breaches disclosed to federal regulators so far this year are dominated by ransomware incidents and breaches involving commercial partners that affect millions of people.
The patterns highlight a worrying weakness for the healthcare sector, which relies on third parties to manage invoicing, process claims, and carry out other administrative tasks related to providing medical care.
Business partners, many of which are tiny businesses, frequently lack proper cybersecurity despite handling information that is extremely valuable to hackers.
A total of 360 large breaches affecting close to 22.5 million people have been reported to the HIPAA Breach Reporting Tool website of the Department of Health and Human Services since the beginning of 2022.
Since the HHS Office for Civil Rights website only lists health data breaches impacting 500 or more individuals, the actual number of affected people is probably undercounted.
Almost 21.9 million people have been affected by 287 breaches, which constitute the vast majority of documented security lapses.
In actuality, hacking/IT incidents were reported in all 10 of the biggest health data breaches that have been added so far this year. Of those, at least eight have reportedly involved data theft and/or malware.
“Unauthorized access/disclosure” incidents are projected to be the second most often reported category of breach in 2022. There were only roughly 54 of those occurrences, which affected about 281,000 people.
10 Largest Health Data Breaches in 2022, So Far
| Breached Entity | Individuals Affected |
| Shields Health Care Group* | 2 million |
| Professional Finance Company* | 1.9 million |
| Broward Health* | 1.35 million |
| Texas Tech University Health | 1.3 million |
| Baptist Medical Center* | 1.2 million |
| Partnership HealthPlan of California* | 855,000 |
| MCG Health* | 793,000 |
| Yuma Regional Medical Center* | 737,500 |
| Morley Companies* | 521,000 |
| Adaptive Health Integrations | 510,600 |
*Reported as involving ransomware and/or data exfiltration Source: U.S. Department of Health and Human Services
Vendor Breaches
On behalf of their covered entity clients, business associates handling protected health information have been at the centre of at least 136 data breaches affecting 9.87 million people.
That indicates that almost half of all significant health data breaches involved vendors or business partners; 47% of significant HIPAA breaches reported affecting 45% of all affected persons.
At least four of the ten biggest HIPAA breaches recorded on the HHS website so far in 2022 involved business associates.
The two biggest breaches so far this year are the data exfiltration incident reported by medical imaging services provider Shields Health Care Group, which affected 2 million people, and the ransomware incident reported by accounts receivables services provider Professional Finance Company, which affected 1.9 million people and dozens of covered entity clients.
A hacking attack involving roughly 1.3 million people, as revealed by Texas Tech University Health Sciences, is also among the top 10 biggest breaches.
Texas Tech is one of a growing number of more than a dozen covered entities impacted by a data deletion event involving cloud-based provider Eye Care Leaders that was made public earlier this year.
Disturbing Trends
The two biggest breaches so far this year are the data exfiltration incident reported by medical imaging services provider Shields Health Care Group, which affected 2 million people, and the ransomware incident reported by accounts receivables services provider Professional Finance Company, which affected 1.9 million people and dozens of covered entity clients.
One of the top 10 biggest breaches, according to Texas Tech University Health Sciences, involved a computer attack that affected about 1.3 million people.
One of the more than a dozen covered entities affected by a data deletion incident with cloud-based service Eye Care Leaders that became known earlier this year is Texas Tech.
According to him, patient data is frequently more useful for a wider range of identity crimes than data obtained from sources outside the healthcare industry.
“Health sector enterprises simply need to function with a greater array of consumer data than financial sector, government or commerce sector entities, including personally identifiable information, PHI and financial or payment account data, making them more likely to be the target of hackers.”
Hamilton believes that the fact that many healthcare industry partners are tiny businesses that do not invest enough in security to safeguard the private patient data they manage only makes the situation worse.
I believe that many ransomware and other extortion operations are modifying their “go-to-market strategy,” as we are currently witnessing.
Addressing Weaknesses
During a presentation at the Information Security Media Group’s annual healthcare security summit in New York City this week, Nicholas Heesters, HHS OCR’s senior adviser for cybersecurity, informed guests that the number of breaches reported to the organisation is continuously increasing yearly.
According to him, ransomware-related events are currently among the most common hacking IT incidents that are reported to HHS OCR.
Investigations into these and other breaches by the HHS OCR reveal that a sizable proportion of healthcare sector companies still do not implement multifactor authentication.
He claims that numerous covered entities and business associates are still frequently found to be lacking in conducting and documenting thorough enterprise security risk analyses, which may have assisted the organisations in identifying areas of weakness to be fixed before experiencing significant breach incidents.
Hamilton offers a similar assessment based on what he sees.
According to him, “phishing scams that trick users into handing up their passwords and unpatched internet-facing vulnerabilities are the two leading initial access vectors for hacking attacks.”
“Given that situation, user education and vulnerability management become crucial. A rule requiring personal use on personal devices will also shield systems used by covered entities from unfiltered messaging services like personal email, social networking, etc.”
Reference: https://www.bankinfosecurity.com/at-half-year-mark-ransomware-vendor-breaches-dominate-a-19565
