Latest US Health Data Breaches Continue Ransomware Trend

Some 60 breaches affecting about 2.5 million individuals were added in July to the federal tally of major health data breaches. Those incidents continued a trend playing out in 2022:

Large hacking incidents predominately involving ransomware attacks against providers, vendors, or both are responsible for an overwhelming amount of data theft. About 80% of the major breaches reported were related to hacking/IT incidents, and these breaches accounted for 97% of all affected individuals.

“These trends indicate that this industry continues to struggle with adequate security programs and that hacking pays off,” says Kate Borten, president of The Marblehead Group, a privacy and security consultancy. “Hacking healthcare organizations is very cost-effective for the perpetrators. Attacks are relatively inexpensive to launch and can bring big monetary rewards.”

Vendors played a major role in these breaches. HHS OCR reported that 163 breaches affecting about 11.1 million individuals involved business associates. Third-party vendors are at the center of about 40% of the major HIPAA breaches reported so far this year, with those incidents affecting about 44% of all breached individuals.

Biggest Recent Breaches
In the last month alone, three of the largest health data breaches added to the HHS OCR website were reported as hacking/IT incidents involving ransomware and affecting a total of nearly 950,000 individuals. Two of those breaches were linked to business associates.

The three largest incidents in July were:

  • An attack involving Hive ransomware reported by Indiana-based neurology practice Goodman Campbell Brain & Spine affecting nearly 363,000 individuals;
  • A breach affecting more than 326,000 individuals reported by Connecticut-based health plan Aetna ACE involving an apparent ransomware incident against a subcontractor that provides mailing services;
  • A hacking/IT incident affecting more than 254,000 individuals reported by Florida-based Synergic Healthcare Solutions LLC, which operates urgent care clinics under the name Fast Track Urgent Care Center. The incident involved a 2021 ransomware attack against PracticeMax, a practice management and billing services vendor.

Bigger Picture
Federal authorities, including the FBI, HHS and Department of Homeland Security, in recent months, have repeatedly warned of the nation-state and related threats to the healthcare sector, with the ransomware group Hive being quite active in such attacks.

While the threats are constant, constant diligence and training can go a long way to mitigating the threats posed by criminals.

If you have questions about the evolving threat landscape, call ITPAC today.