2017’s Record HIPAA Breach Pace Points to Growing Hacker Threat
2016 was a record year for large HIPAA breaches, with covered U.S. healthcare entities reporting 133 cases that affected the private information of at least 500 individuals each.
This year is on pace to more than double that figure, with 221 major breaches reported to federal authorities already, as of Sept. 20, government records show.
The 66 percent increase – thus far – is driven by a sharp rise in the number of incidents designated as “Hacking/IT Incident,” which were up 82 percent, to 104 in 2017.
The second most common cause for a HIPAA breach this year was unauthorized access or disclosure, which totaled 69 cases.
An MSPmentor review of records maintained by the U.S. Department of Health and Human Services Office of Civil Rights (OCR) suggests hackers are stepping up attacks against healthcare targets, which hold the holy grail of data: Detailed medical information.
Healthcare records represent some of the most valuable data to hackers because in addition to names, addresses and Social Security numbers; they contain health insurance numbers and detailed treatment information that can be used in medical billing scams.
Where a record with a name and Social Security number might sell for between $1 and $3 each on the dark web, a detailed medical record could fetch as much as $100, according to one recent report.
OCR officials did not immediately respond to a request for that agency’s interpretation of the trends in HIPAA breach cases.
Eleven of the 12 biggest breaches in 2017 were attributed to “Hacking/IT Incident,” compared with just six of the top 12 breaches in 2016.
Ironically, this year’s biggest breach was the only one of the top 12 not caused by hacking.
On March 1, officials at Commonwealth Health Corporation of Bowling Green, Ky., reported that 697,800 patient records were compromised because of an unspecified theft, according to federal data.
A lengthy OCR investigation is standard after such reports, and Commonwealth Health Corporation has issued no public explanation of the incident.
However on March 21, Med Center Health – a six-hospital chain owned by Commonwealth Health Corporation – announced it had been the victim of an inside job after an employee took records they allegedly planned to use in the development of a computer-based tool for an outside business interest.
“On January 4, 2017, during the course of an internal investigation, we determined that the former Med Center Health employee had, on two past occasions during their employment, obtained certain billing information by creating the appearance that they needed the information to carry out their job duties for Med Center Health,” the company said in a statement.
“To date, our investigation indicates that in August 2014 and February 2015 the individual in question obtained patient information on an encrypted CD and encrypted USB drive, without any work-related reason to do so,” the advisory to customers went on. “The billing information included patients’ names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes and charges for your medical services.”
Hospital officials said they delayed informing OCR officials until this year at the request of law enforcement.
“Law enforcement asked that we delay notification to patients or public announcement of the incident until now so as not to interfere with their investigation,” the Med Center Health statement said. “Now that law enforcement’s request for delay has ended, we are notifying patients as quickly as possible.”
The OCR investigation is being closely watched for clues about how federal regulators treat breaches involving encrypted media.
HIPAA laws require covered entities to report breaches affecting more than 500 individuals “without unreasonable delay” and always within 60 days.
But those rules apply to “unsecured” protected health information and it’s unclear whether the hospital company acted appropriately in waiting so long to inform the public and regulators.
If there’s one aspect of positive news from the data, it’s that the total number of individuals whose personal information was compromised in 2017 – nearly 4.2 million – is on pace to fall substantially compared to last year.
In 2016, the number of people whose personal information was compromised totaled just over 12.7 million.
Though that figure is more than three times this year’s total thus far, more than 11.6 million of the individuals’ information stolen in 2016 was compromised during the 12 biggest breaches.
Records of fewer than 1.1 million people were compromised during 2016’s other 121 breaches, combined.
Send tips and news to MSPmentorNews@Penton.com.