In recent years, there has been a substantial increase in the number of cyberattacks on healthcare organizations with the aim of obtaining PHI. It has proven profitable for hackers to conduct attacks on healthcare organizations and sell the data on the black market.Healthcare organizations under pressure to improve their defenses and make it harder for hackers to succeed.
In 2015, healthcare organizations saw more healthcare records stolen than any other time since records started being kept. Some of the cyberattacks on healthcare providers and health insurers resulted in massive amounts of patient data being stolen. These organisations are likely to face serious recriminations for their failure to keep the data safe.
Healthcare Data Breaches in 2016
For the first half of this year, it looked like the healthcare industry had avoided data breaches on the massive scale of the cyberattacks on Anthem, Premera BlueCross, and Excellus BlueCross BlueShield in 2015. However, towards the end of June, a hacker announced the successful breach of a health insurer. The hacker listed the 9.3 million records that it had stolen from the database for sale on a Darknet marketplace.
Other large-scale data breaches in 2016 include the cyberattack on 21st Century Oncology – A Fort Myers, Florida-based provider of cancer treatment. The scale of the attack has not been ascertained for sure, but it is likely to have resulted in the hacker accessing and stealing 2,213,597 patients’ records.
In February, 2016, Florida-based Radiology Regional Center, PA., reported a breach of 483,063 patients’ PHI. This breach was not the result of a successful cyberattack, but occurred when patient files fell from a vehicle that was transporting the files to be incinerated.
In May, California Correctional Health Care Services announced the potential exposure of 400,000 health records when an unencrypted laptop computer was stolen. A stolen laptop containing ePHI was also reported by Premier Healthcare, LLC., in April. The device theft resulted in the exposure of 205,748 patient records. In both cases, the laptops were password protected, but did were not secured by suitable encryption software.
Community Mercy Health Partners also reported a breach of more than 100,000 patient records. Files containing the protected health information of 113,528 patients were discovered in a recycling bin in Springfield, Ohio.
Healthcare records were also potentially obtained as a result of a malware infection at EMR management company Bizmatics. It is not yet clear exactly how many patients were affected by that breach, although current figures indicate more than 265,000 individuals have been impacted.
So far this year, 142 healthcare data breaches involving more than 500 records have been reported to the Department of Health and Human Services’ Office for Civil Rights. This is in line with figures seen during the same period in 2015, during which 143 data breaches were reported.
While not all data breaches may yet have made it onto the OCR breach portal, the current breach reports show how healthcare records are being exposed.
A summary of the data breaches so far is as follows:
• 48 data breaches were reported as unauthorized access
• 43 data breaches were attributed to hacking or network server incidents
• 37 breaches were caused by the loss or theft of devices used to store ePHI or the loss/theft of physical records
• 4 breaches were due to the improper disposal of records
In terms of the records that were stolen or exposed:
• 60% were due to hacking (2,703,961 records)
• 78% were due to loss/theft (1,342,125 records)
• 6% were the result of unauthorized access or disclosure (342,748 records)
• 63% were the result of improper disposal (118,594 records)
Figures from the Department of Health and Human Services’ Office for Civil Rights show 95,251 healthcare records were exposed or stolen in June 2016. However, it is known that there exist some additional large scale data breaches that have yet to appear on the OCR breach portal.
The series of hacks by a hacker-known as “TheDarkOverlord”-have yet to be added to the OCR breach portal. This, in combination to the healthcare records that were stolen in those attacks, and others that have yet to make it onto the breach portal and the total number of records exposed in June rises to 11,061,649, according to figures published in a recent Protenus report. The June figures are more than five times as high as the total number of healthcare records that were exposed in the first five months of the year (2,136,810 records).
The Protenus report indicates 41.4% of breaches in June were the result of hacking and the same percentage were caused by insider theft and errors. The theft or loss of paper copies of patients PHI or devices containing ePHI accounted for 17.2% of breaches in June.