Health Breach Tally Update: The Causes

Culprits Include Hackers, Insider Threats, Staff Errors and More
Health Breach Tally Update: The Causes

The federal tally of major health data breaches has grown substantially in recent weeks to a total of 1,074 incidents affecting 33.7 million individuals since September 2009. The approximately 30 incidents added to the list over the last month provide examples of the variety of risks that healthcare entities continue to battle.

See Also: Take Inventory of Your Medical Device Security Risks

Among the largest breaches added to the tally in recent weeks were a hacking incident, an insider breach and a mismailing of letters. Still, the loss or theft of unencrypted computing devices remains the most common cause of breaches affecting 500 or more individuals.

Hacking Incident

The largest breach added to the Department of Health and Human Services "wall of shame" since late June is a hacking incident at the Montana Department of Health and Human Services.

While the HHS tally as of July 28 lists the incident as affecting 1.06 million individuals, a spokesman for the Montana department tells Information Security Media Group that it notified 1.3 million about the breach, which is still under investigation.

"All the letters have been sent out to individuals, and our help line is ongoing, though the number of calls we're getting has ramped down," he says. On May 22, an independent forensic investigation confirmed the hacking incident after a forensic investigation was ordered on May 15 when suspicious activity on a public health department server was first detected by state officials. Department officials say they immediately shut down the server and contacted law enforcement.

Although the hacking incident was confirmed in May, the state now believes the incident started as far back as July 2013, he says. He was unable to provide additional details about the attack while the investigation into the incident continues.

Since the discovery of the incident, the Montana department has implemented new and additional firewall software and is "always looking to improve our systems," he says. Potentially compromised information for health department clients includes names, addresses, dates of birth and Social Security numbers. The server may also have included information on health assessments, diagnoses, treatment, health conditions, prescriptions and insurance. Affected individuals are being offered one year of free credit monitoring, the spokesman says.

Breach Trends

While the HHS tally lists 89 major breaches since 2009 involving hacking, some security experts say such incidents are becoming more common and a bigger threat (see Why Hackers Are Targeting Health Data). Additionally, breaches involving insiders who inappropriately access patient records for reasons ranging from snooping to more malevolent intent, such as identity theft, is also a continuing concern.

"Over the past year, we've been warning our clients about the potential increase in hacker attacks and insider threats involving unauthorized access," says Dan Berger, CEO of security consulting firm Redspin. "As the amount of patient information stored increase, so does its value to those with malicious intent."

To defend against those activities, "we think that the risk analysis process should conclude with more recommendations about more advanced security tests. Increased vigilance should comprise penetration testing, Web application security assessments and social engineering," Berger says.

The second largest incident added to the federal tally in recent was a breach involving a vendor that provides patient billing and collection services to the Los Angeles County departments of health services and public health. The Feb. 5 theft of eight unencrypted desktop computers from a Torrance, Calif., office of business associate Sutherland Healthcare Services affected more than 342,000 individuals, the federal tally now shows. When the breach was first disclosed on March 6, the total affected was reported as 168,500 (see Victim Tally in L.A. Breach Doubles).

The stolen computers contained personal information, including patient names, Social Security numbers, and billing information. In addition, the stolen computers may have included individuals' dates of birth, addresses, diagnoses and other medical information, the statement says. Affected individuals are being offered one year of free credit monitoring service. A number of class action lawsuits have also been filed against Los Angeles County and the vendor in the wake of the breach (see Class Action Suit Filed in L.A. Breach).

Breaches stemming from lost or stolen devices point to the value of encryption. "The problem of lost or stolen unencrypted devices is likely to get worse before it gets better," Berger says. "Unfortunately, the increasing use of portable devices in health is out-pacing the implementation of encryption, particular in the area of BYOD. "

Insider Threats

The third largest incident added to the federal tally in the last month is an insider breach affecting 97,000 current and former patients of NRAD Medical Associates, a radiology practice in Long Island, N.Y. In that incident, NDAD notified individuals that a radiologist formerly employed with the organization accessed and acquired protected health information from NRAD's billing systems without authorization.

Aside from incidents involving hackers and unauthorized access by insiders, mistakes involving paper documents also continue to plague the industry. For example, new to the tally is an incident at St. Vincent Breast Center in Indianapolis involving a clerical error in May that led to the mailing of letters containing personal health information to the wrong recipients. Some 63,000 individuals were affected.

The federal tally of major breaches lists about 205 major breaches involving paper records. "With much emphasis on electronic records and cybersecurity, it is important for covered entities and business associates to remember that paper ... continues to be a major source of breaches," notes privacy and security expert Kate Borten, founder of consulting firm the Marblehead Group (see Preventing Breaches: Don't Forget Paper).

In fact, among the latest enforcement activity by OCR was an $800,000 HIPAA settlement with Indiana-based community health system Parkview Healthcare for a 2009 breach involving paper medical record dumping.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.