Cyberattacks Fuel 2017’s Biggest Breaches

With the exception of one large insider theft, hacker attacks, some involving ransomware, continue to be the method of choice behind the biggest health data breaches reported so far this year to federal regulators.

As of July 3rd, 149 breaches affecting nearly 2.7 million people have been reported to the Department of Health and Human Services’ ‘wall of shame’.

Of those 2017 breaches, 53 are listed as hacking/IT incidents. Even though that’s only 35% of breaches it represents almost 60% of the individual victims; 1.6 million in all.

Four of the five largest breaches reported so far in 2017 involved hacking/IT incidents. At least two have been disclosed by healthcare entities in their public breach notification statements as involving ransomware.

Those incidents include a ransomware attack reported to HHS on June 16 by Airway Oxygen, a Michigan-based provider of oxygen therapy and home medical equipment affecting 500,000 individuals as well as a March incident reported by Texas-based specialty practice, Urology Austin that affected nearly 280,000 individuals.

Neither the Airway Oxygen nor Urology Austin breaches are listed on the ‘wall of shame’ with details referencing ransomware. However each entity issued breach notification statements to affected individuals naming ransomware as the culprit.

5 Largest Health Data Breaches in 2017:

  1. Commonwealth Health 697,800 – Theft
  2. Airway Oxygen 500,000 – Hacker
  3. Urology Austin 279,663 – Hacker
  4. Harrisburg Gastroenterology 93,323 – Hacker
  5. VisionQuest Eyecare 85,995 – Hacker

However, despite the continuing surge in hacking related incidents, the largest health data breach added so far this year to the federal tally was an insider incident that was reported in March by Bowling Green, Kentucky-based Med Center Health, owned by Commonwealth Health Corp.

That incident, affecting 698,000 individuals, involved a former Med Center Health employee who allegedly obtained patient information on an encrypted CD and encrypted USB drive, “without any work-related reason to do so,” the company said in a statement.

Breaches Since 2009

Since the HIPAA breach notification rule took effect in 2009, 1,971 breaches impacting nearly 174.3 million individuals have been posted. Of those only 322 are listed as hacking/IT incidents. Those incidents affected about 130.2 million individuals, or nearly 75 percent of all victims impacted by reported health data breaches.

In recent weeks, a number of large breaches involving ransomware-related hacking incidents were reported to federal regulators.

Recent Hacker Breaches

Among other recent incidents added to the ‘wall of shame’ involving hacker attacks:

  • Cleveland Medical Associates, based in Tennessee, reporting to HHS on June 20th a ransomware attack occurring in April that involved protected health information of 22,000 individuals.
  • Family Tree Health Clinic, based in Texas, reporting to HHS on June 19 a ransomware attack occurring in April that impacted data of 13,402 individuals. A Family Tree breach notification statement says no ransom was paid and data was restored using backups.
  • Torrance Memorial Medical Center, based in California, reporting to HHS on June 19 a phishing incident in April that impacted two email accounts containing personal information of potentially 46,632 individuals.

The pace of these attacks is increasing, and the targets are not just the big systems, smaller organizations are more susceptible due to a lack of resources for security, the likelihood of older systems, and less sophisticated detection and alert capabilities. Ransomware is a regular occurrence now as criminals follow the money. They see that ransomware can be lucrative, and they can get away without being caught.

The key to defending against cyber attacks is to have procedures in place so that everyone understands what to do.

If you’d like help formulating a plan and implementing procedures to enhance your IT security, call ITPAC today.