Mid-Year Summary of Significant 2016 Healthcare Data Breaches

Cyberattacks on healthcare groups are now commonplace and, as long as it is profitable for hackers to attack healthcare organizations, the cyberattacks will continue. Given the number of healthcare data violations now being reported, it is evident that the healthcare industry must do more to enhance defenses against cyberattacks, insider threats. To do that, healthcare organizations need to focus on more than HIPAA compliance.

Healthcare groups had a stressful time in 2015. In 2015, more healthcare records were stolen than in any other year since records of breaches started being recorded by the Office for Civil Rights. Some of the cyberattacks on healthcare suppliers and health insurers lead to huge amounts of data being stolen.

Until the last week in June it appeared that the healthcare industry had prevented large data breaches on the scale of the cyberattacks on Anthem, Premera BlueCross, and Excellus BlueCross BlueShield in 2015. However, as the first six months of the year came to an end, a hacker offered a 9.3-million record database for sale on a Darknet marketplace.

Other large-scale data violations in 2016 include the cyberattack on 21st Century Oncology – A Fort Myers, Florida-based provider of cancer treatment. That attack may have led to the accessing and theft of 2,213,597 patients’ records.

In February, 2016, Florida-based Radiology Regional Center, PA., submitted a violation report of 483,063 patients’ PHI. The breach did not involve a hacker in this instance, instead the data exposure happened when patient files fell from a car that was transporting the files to be destroyed.

In May, California Correctional Health Care Services revealed the possible exposure of 400,000 health records when an unencrypted laptop computer was taken. A stolen laptop storing ePHI was also reported by Premier Healthcare, LLC., in April. The device theft lead to the exposure of 205,748 patient records.

Community Mercy Health Partners also reported a violation involving more than 100,000 patient records. Files storing the protected health data of 113,528 patients were found in a recycling bin in Springfield, Ohio.

Healthcare records were also possibly taken due to a malware infection at EMR management company Bizmatics. It is not yet obvious exactly how many patients were affected by that breach, although current estimates indicate more than 265,000 people have been impacted.

In total, 142 healthcare data violations involving more than 500 records have been reported to the Department of Health and Human Services’ Office for Civil Rights so far in 2016. During the same period in 2015, 143 data violations were reported.

All data breaches may not yet have made it onto the OCR breach portal, the current breach reports show how healthcare records are being exposed.

  • 48 data breaches were filed as unauthorized access
  • 43 data breaches were due to hacking or network server incidents
  • 37 breaches happened because of  the loss or theft of devices used to store ePHI or the loss/theft of physical records
  • 4 breaches were due to the improper destruction of records

In terms of the records that were taken or exposed:

  • 60% were due to cyber hacking (2,703,961 records)
  • 78% were due to loss/theft by an individual or individuals (1,342,125 records)
  • 6% were the result of access by an unauthorized person or group (342,748 records)
  • 63% happened due to improper disposal (118,594 records)

Reports from the Department of Health and Human Services’ Office for Civil Rights show 95,251 healthcare records were exposed or stolen in June 2016; however, there have been more large scale data breaches that have yet to appear on the OCR breach portal.

The sustained series of hacks by TheDarkOverlord have yet to be added to the OCR breach portal. Add in the healthcare records that were taken in those attacks, and others that have yet to be added to the breach portal and the total number of records exposed in June rises to 11,061,649, according to figures released in a recent Protenus report. The June figures are more than five higher than the total number of healthcare records that were exposed in the first five months of the year. Between January and May, 2016., 2,136,810 healthcare records were improperly accessed.

The Protenus report shows 41.4% of violations in June were the result of hacking and the same percentage were caused by insider theft and mistakes. The theft or loss of hard copies of patients PHI or devices storing ePHI accounted for 17.2% of breaches in June.