Health Data Breach Trends

Ransomware Attacks, Vendor Incidents Continue to Dominate

So far in 2021, some 383 health data breaches affecting more than 27 million individuals have been added to the HHS wall of shame. That includes 131 breaches affecting nearly 10 million since the end of May.

Of the 2021 breaches, the vast majority — 283 breaches affecting 26.1 million individuals — were reported as involving hacking/IT incidents.

Largest Breaches of 2021

  • Florida Healthy Kids Corp. — 3.5 million
  • 20/20 Eye Care Network — 3.3 million
  • Forefront Dermatology, S.C. — 2.4 million
  • CaptureRx — 1.7 million
  • The Kroger Co. — 1.5 million
  • American Anesthesiology — 1.3 million
  • Practicefirst Medical Management Solutions — 1.2 million
  • Personal Touch Holding — 750,000
  • Health Net Community Solutions — 690,000
  • Hendrick Health — 640,000

Latest Additions
Two ransomware incidents added to the tally in the last month rank among the biggest breaches posted to the HHS site this year.

Forefront Dermatology S.C., on July 8, reported a ransomware attack affecting more than 2.4 million individuals. And the medical management services vendor Practicefirst Medical Management Solutions, on July 1, reported an incident affecting 1.2 million individuals.

The Practicefirst incident is among some 165 breaches – affecting a total of about 19.4 million individuals – added to the tally so far in 2021 that involved business associates.

Vendor Risk
Covered entities need to intensify their security risk scrutiny of vendors, given the frequency of  incidents involving business associates. Holding BAs to the same standards as a covered entity is key. If a BA is involved in a breach, ensure that they’ve communicated how the incident happened, the lessons learned, and the security improvements that will be enacted.

Taking Action
To help prevent falling victim to hacking incidents, organizations need to be proactive. With the increase in high-profile attacks, awareness should be high, but persistent education is vital to ensure that you’re not exposed. Unfortunately, people are clicking on links that they ‘think’ are OK. One of the best ways to keep employees from becoming numb to basic reminders is to include current examples of data breaches and include the details.

Hackers are clearly realizing that one of the easiest paths to penetrate an entity is through the seams between them and the third parties they work with. Healthcare organizations that outsource functions to vendors need to avoid loosening up their controls on procedures in areas that could allow the bad operators to get in.

If you have questions about ransomware, hacking, and your IT security risk, call ITPAC today.