As of this writing, there are 294 incidents under investigation (published submissions) by the U.S. Department of Health and Human Services (HHS) for 2017, impacting well over 4.72 million individual patient records.
In this report, Dr. Rebecca Wynn, Chief Information Security Officer (CISO) of Matrix Medical Network, outlines the current outstanding breaches from 2017 that remain under investigation, and how guidelines within HIPAA lay a framework that can help thwart these incidents.
Here’s an overview of the submitted/reported healthcare industry breaches and their impact on records from a bird’s eye view:
Submitted Breaches | Type Of Breach | No. Of Records | % |
132 | Hacking / IT Incident | 3,348,321 | 70.91 |
8 | Improper Disposal | 27,593 | 0.58% |
8 | Loss | 31,994 | 0.68% |
47 | Theft | 914,043 | 19.36% |
99 | Unauthorized Access / Disclosure | 399,893 | 8.47% |
So what is the definition of a healthcare breach, according to HIPAA?
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
The unauthorized person who used the protected health information or to whom the disclosure was made
Whether the protected health information was actually acquired or viewed
The extent to which the risk to the protected health information has been mitigated
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.
There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.
Here’s a deeper look at the 2017 top 10 healthcare breaches:
Top 10 Breakdown:
Ransomware: 60%
Unauthorized Access: 20%
Cyber Attack: 10%
Former Employee: 10%
10. VisionQuest Eyecare (85,995, cyber attack, HHS Submission Date 3/2/2017)
Indiana-based VisionQuest Eyecare announced on its website that it discovered a cyber attack on its network on January 22, 2017. Information that was potentially compromised included patient names, addresses, phone numbers, dates of birth, Social Security numbers, health or vision insurance information, medical claims data and clinical information (Private Health Information), according to VisionQuest. (ITRC Breach ID: ITRC20170306-05)
9. Harrisburg Gastroenterology Ltd (93,323, unauthorized access, HHS Submission Date 5/1/2017)
On March 17, 2017, following an investigation of potentially suspicious system activity, they determined that an unauthorized individual could have potentially accessed Harrisburg Gastroenterology’s patient information. The patient information contained in their systems included name, demographic information, Social Security number, health insurance information, diagnostic information and clinical information. (ITRC Breach ID: ITRC20170501-08)
8. McLaren Medical Group, Mid-Michigan Physicians Imaging Center (106,008, unauthorized access, HHS Submission Date 8/24/2017)
McLaren Medical Group, which manages Mid-Michigan Physicians, announced that the breach (unauthorized access) affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses. (ITRC Breach ID: TRC20170830-09)
7. Arkansas Oral & Facial Surgery Center (128,000, ransomware, HHS Submission Date 8/24/2017)
The Arkansas Oral and Facial Surgery Center in Harrison investigated a ransomware attack that occurred the night of July 25, 2017 or the morning of July 26, 2017. An investigation revealed the ransomware had been installed on the surgery center's systems by an unauthorized individual. While a limited number of patient information was affected, imaging files such as x-rays and documents were impacted. It also appeared that the ransomware rendered all electronic patient data relating to patient visits within three weeks of the attack inaccessible. Information in documents affected included patient names, addresses, date of birth and social security numbers, as well as medical history information. (ITRC Breach ID: ITRC20171003-03)
6. Peachtree Neurological Clinic, P.C. (176,295, ransomeware, HHS Submission Date 9/24/2017)
PNC's computer system was infected by a ransomware virus that encrypted their electronic medical records ("EMR") system containing patients' medical records. There were not able to confirm which, if any, tiles or patient information were accessed by the unauthorized individuals, but it is possible that they could have accessed the EMR system and information including name, address, telephone number, social security number, date of birth, driver's license number, treatment or procedure information, prescription information and/or healthcare insurance information. (ITRC Breach ID: ITRC20170713-06)
5. Pacific Alliance Medical Center (266,123, ransomware, HHS Submission Date 8/10/2017)
On June 14, 2017, PAMC became aware that a certain number of its networked computer systems were being affected by a cyber incident. The personal information on the servers affected by the virus (ransomware) may have included: name, demographic information, date of birth, Social Security number, and employment information. (ITRC Breach ID: ITRC20170815-01)
4. Urology Austin, PLLC (279,663, ransomware, HHS Submission Date 3/22/2017)
On January 22, 2017, Urology Austin was the victim of a ransomware attack that encrypted the data stored on their servers. The investigation indicated that personal information may have been impacted by the ransomware, including name, address, date of birth, Social Security number, and medical information. (ITRC Breach ID: ITRC20170324-02)
3. Women's Health Care Group of PA, LLC (300,000, ransomware, HHS Submission Date 7/15/2017)
In May, a virus (ransomware) was installed on a server/workstation preventing the hospital from accessing patient data. The types of data exposed – and potentially stolen – include names, addresses, dates of birth, lab test orders, lab test results, blood types, race, gender, pregnancy status, medical record numbers, employer information, insurance details, medical diagnoses, physicians’ names and Social Security numbers. (ITRC Breach ID: ITRC20170728-03)
2. Airway Oxygen, Inc. (500,000, ransomware, HHS Submission Date 6/16/2017)
On the evening of April 18, 2017, they learned that unidentified criminal(s) had gained access to their technical infrastructure and installed ransomware in order to deny Purity Cylinder and Airway Oxygen, two affiliated companies, access to their own data. The types of protected health information that were involved in the breach include some or all of the following data regarding their customer/end users and payment sources: full name, home address, birth date, telephone number, diagnosis, type of service and health insurance policy numbers. (ITRC Breach ID: ITRC20170608-02)
1. Commonwealth Health Corporation (697,800, former employee, HHS Submission Date 3/1/2017)
The FBI continues its look into a breach of personal information from about 160,000 patients serviced at some Med Center Health affiliates between 2011 and 2014. A former employee is accused of taking the data that included billing information such as name, address, Social Security, insurance information, procedure codes and others on an encrypted device with the stated intention of using that data for a "personal project."(Commonwealth Health) (ITRC Breach ID: ITRC20170327-02)
How to minimize the impact of a breach?
- Ensure antivirus/antimalware is installed and up to date across all endpoints within the business
- Backup the data and store off your network (as frequently as you can afford)
- Use Group Policy Objects (GPO) restrictions
- Patch your systems (keep them as current as you can)
- Restrict administrative rights on endpoints
- Remember that reducing privileges will reduce the attack surface. Use the local user account as your primary account
- Use a Secure Internet Gateway on and off the company network
- Block users from installing anything. No rights to install. Go through a helpdesk system (with change control) and have a system administrator only install software that is on the approval list
- Use Data Loss Protection and actively monitor
- Invest in your Information Security program. Tools are great but it takes a team to properly manage and monitor
- Establish security awareness campaigns that stress the avoidance of clicking on links and attachments in email
The HIPAA breach notification rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
References:
- ITRC Breach Report 2017
- HHS Breach Report 2017
Dr. Rebecca Wynn is the author of this report and a member of the Cyber Security Hub Editorial Advisory Board. Named 2017 Cyber Security Professional of the Year -- Cyber Security Excellence Awards, SC Magazine Chief Privacy Officer 2017 Award, and Global Privacy and Security by Design (GPSbyDesign) -- International Council Member -- Wynn is a "big picture" thinker who brings nearly 20 years of experience in Information Security, Assurance and Technology. Recently, she led the information security, privacy and compliance pre-acquisition, acquisition and post-acquisition of LearnVest, Inc. to Northwestern Mutual Life Insurance Company, a Fortune 100 company. She is well knwon for being a gifted polymath, having deep understanding of current cyber security challenges and privacy issues. She has a proven track record of taking companies to the next level of excellence in many sectors including government, financial services, fintech, healtchare, information technology, legal, semiconductors and retail. She's always open to new opportunities. Visit her on LinkedIn.