As we reported in February, healthcare data breaches have been on the rise since the start of the pandemic. Now, new data shows that the rate at which patient information is being accessed is not slowing down. In March alone, Modern Healthcare reports, there was a 37 percent increase in breaches and individuals affected over the same period last year, and incidents have increased 58 percent since this January. Becker’s Health IT says that over 1 million healthcare records were affected by March breaches, which is triple the amount affected in February.
The largest breach so far this year comes from an attack of the network servers at health plan provider Florida Healthy Kids Corporation, where the data from 3.5 million patients was compromised over the course of seven years. Social Security numbers, names, addresses, dates of birth and other financial information had been stolen through the plan’s website and data management company, Jelly Bean Communications Design.
The second-largest hack in 2021 was of The Kroger Co., in which an incident reported in February affected almost 1.5 million people. That hack exposed similar information from the company’s pharmacy and clinic patients and gained access to the records through a file-transfer service called FTA, which was developed by Accellion. Only after Kroger discontinued working with Accellion was the company notified of the hack.
The third-largest breach affected over 1.2 million and was reported by American Anesthesiology in January. In that attack, emails were targeted rather than patient records.
Data Playground
Healthcare is a particular attractive arena for cybercriminals because of the sheer amount of information that is bundled in patient records. According to cybersecurity firm PurpleSec, patient health records — which often contain Social Security numbers, payment data, contact and addressing details and more — can be sold for $363 each on the black market, which is more than “any piece of information from other industries,” says the company. It also reports that 88 percent of all ransomware attacks, in which data is stolen or encrypted and subsequently released for a fee, take place in the healthcare field.
Clearly, robust cybersecurity is needed by any firm working in the healthcare sphere, yet there are surprising gaps that make patient data vulnerable. According to PurpleSec, only 16 percent of healthcare providers report using “fully functional” security programs, 25 percent say that they are not encrypting patient data and 89 percent of healthcare organizations had patient data lost or stolen in the past two years.
Don’t Tell
Beyond that, reporting of breaches is also a significant issue when it comes to the healthcare industry. Organizations are required by HIPAA to report breaches involving more than 500 people within 60 days of their discovery so, for example, any incidents that happen this week wouldn’t need to be revealed until late June.
Another issue with reporting is that some organizations simply flout the rule. Case in point: Health IT Security reported last week that four organizations just reported their 2020 breaches in the last few weeks and even in those reports, information was shoddy.
Beacon Health said the health information and personal data of its patients was compromised in October through a breach, although the company didn’t say exactly what that breach was. Planned Parenthood of Washington, D.C. also said that a cybercriminal stole patient-related data in a September hack but again, no information was provided about the number of people affected. VEP Healthcare reported a phishing incident from late 2019/early 2020 in which employee email accounts were hacked and patient data was exposed but no details were given with regard to exactly when the attack happened or how many people were affected. And Remedy Medical Group says a hacker breached its billing services provider, Administrative Advantage, and had access to an employee’s email account for several weeks in June and July 2020.
According to a report by CynergisTek, about 28 percent of organizations simply don’t comply with HIPPA reporting requirements regarding breaches, while 53 percent fail to comply with the NIST Cybersecurity Framework, a voluntary framework providing guidelines on how to prevent, detect, and respond to cyberattacks.
“Given the threat environment we operate in today where literally some percentage of almost everything computerized is a threat, the inability to effectively discover and respond to events is a real issue,” wrote CynergisTek CEO Mac McMillan in the report.
It’s an issue that costs, on average, $3.62 million per attack says PurpleSec — a statistic that will hopefully see the healthcare industry start spending to prevent the attacks rather than paying their costs after the fact.