Tally’s 2021 health data surge continues
Breach notification, fraud and cybercrime management, incident and breach response
Ransomware attacks continue to plague the industry
Marianne Kolbasuk McGee (HealthInfoSec) •
May 27, 2021
Another large wave of major breaches resulting from hacking incidents, including ransomware attacks, has inundated the federal tally of major health data breaches in recent weeks.
Nearly 100 new violations were reported to the Ministry of Health and Social Services HIPAA Violation Reporting Tool website, which lists health-related data breaches affecting at least 500 people.
On Thursday, the HHS Office for Civil Rights website showed that 251 major violations had been added to the tally so far this year, affecting a total of nearly 17.3 million people.
This is a big jump since April 19, when the count listed 159 violations affecting a combined total of 12.5 million people (see: What are the reasons for the surge in health data breaches?).
“HHS data shows that, so far in 2021, more than one in 20 American adults have suffered a health care violation,” says Jim Van Dyke, senior vice president of security provider Sontiq .
“We need to constantly make ourselves aware of how these breaches fuel identity crime – and, more importantly, what organizations and consumers can do to prevent the inevitable data breach from becoming a crime. identity that creates real personal loss, ”he says.
Of the breaches reported so far this year, 174 – or almost 70% – were reported as ‘hacking / computer hacking incidents’ affecting 16.5 million people, or about 95% of those affected by breaches. identified in 2021.
The biggest violation added to the tally in recent weeks is a hacking incident reported to HHS on May 5 by NEC Networks, based in San Antonio, Texas, which operates as CaptureRx. This breach affected nearly 1.7 million people.
The company – which provides pharmacy benefit management and administrative services to hundreds of US and other hospitals – cited Thursday 130 clients of covered entities who were affected by its violation, compared to the 40 affected customers reported by CaptureRx when the incident was first disclosed (see: More healthcare disruption from provider incidents).
A breach notification report that CaptureRx submitted to the Maine state attorney general’s office on May 18 updates the total number of people affected at nearly 2 million.
Although the CaptureRx incident has been reported in other media including Becker, as implying ransomware, CaptureRx has not confirmed any details about the nature of the attack. He did not immediately respond to a request for comment.
The company said in a statement that its investigation determined “that certain files were viewed and acquired on February 6, without authorization.” The affected data included people’s names, dates of birth and prescription information, the company said.
Van Dyke notes that the dozens of entities affected by the CaptureRx incident are a continuation of a growing phenomenon he calls “the breach complex.”
Breach complexes are made up of a “voluminous number” of related incidents, such as dozens of covered entities that all report individual violations related to the same supplier incident, he says.
“Each individual breach in a ‘breach complex’ can expose unique identifying information and, in turn, create unique risks of identity crime.”
A hacking incident was also reported by New Mexico-based Rehoboth McKinley Christian Health Care Services, which affected 207,000 people. This incident was reported in other media as a ransomware incident involving the Conti ransomware gang. But the organization has not confirmed the nature of the attack.
Meanwhile, a recent ransomware attack on New York Dutchess County Orthopedic Associates affected nearly 331,400 people. In its statement of violation, the practice acknowledges that its systems have been encrypted by attackers and that patient data has been “deleted / viewed”.
The CaptureRx incident is one of more than 100 business associate violations that have been added to the tally so far this year. In total, these supplier incidents have affected nearly 11.3 million people, or 65% of those affected so far by major health data breaches, added to the tally in 2021.
Among the incidents involving business associates that have been added to the tally in recent weeks was a violation affecting 125,500 people reported by Family Care in San Diego and a breach affecting nearly 294,000 people reported by Health Center Partners of Southern California.
In a joint breach notification statement, the nonprofits say San Diego Family Care and its associate, Health Center Partners of Southern California, have learned that their unnamed IT hosting provider has ” suffered a data security incident that resulted in the encryption of some data. “
Databreaches.net reports that the entities are among the growing list of cloud hosting and managed service provider Netgain Technology customers affected by a ransomware attack in December 2020.
Series of healthcare ransomware attacks “indicates hackers haven’t slowed down their efforts to find new ways to get people to click a link or open a PDF,” says Susan Lucci , senior privacy and security consultant at tw-Security.
“Their work to introduce ransomware and encrypt files to cripple not only healthcare but also our country’s infrastructure has proven relentless,” she says. “Everyone needs to be on high alert and take a hard look at what’s coming into their inbox.”
Ransomware is the number one cause of healthcare data breaches, she notes and says, “Hacking is the cause of nearly 80% of all significant data breaches reported since the report began. 2009. ”
Other causes of violation
Another major cause of violations reported so far in 2021 is incidents involving “unauthorized access / disclosure”. Around 64 such incidents affecting nearly 662,000 people have been added to the tally so far this year.
The most significant of these incidents was reported to HHS on April 29 by the Wyoming Department of Health. This incident involved files containing data of COVID-19 test results and flu tests, as well as blood alcohol test results, mistakenly uploaded by an employee to publicly accessible GitHub.com.
Since its inception in September 2009, the HHS website has listed 3,977 violations affecting a total of 290 million people.