Data entrusted to healthcare organizations and their business associates is governed by a myriad of federal and state regulations. The most comprehensive of these in the United States is the 2013 HIPAA Omnibus Rule (“HIPAA”), which modernized and combined the separate but closely related HIPAA and HITECH acts of 1996 and 2009, respectively. Prior to the omnibus rule, there were gaps in security requirements and noncompliance penalties regarding medical records and related data.
The most public-facing result of HIPAA may be the fact that healthcare-related data breaches are frequently in the headlines. CVS Health recently exposed more than one billion records, some of which included patient email addresses. CaptureRX has reported a data breach that exposed over 1.6 million patients across 21 healthcare organizations, though other reports put those numbers at over 1.9 million patients and 28 organizations. The Accellion data breach has compromised 10 healthcare organizations, with at least 3.47 million patients exposed. The list goes on and on. The data breach incidents have occurred throughout the year, but the disclosures mentioned above are all from headlines this month.
5 alternative paths to a healthcare data breach
Most of the large healthcare data breaches are categorized under “Hacking/IT Incident,” but there are many other paths to a data breach:
IT asset disposal (ITAD): Asset disposal is one of those housekeeping items that many companies either fail to consider or fail to communicate to relevant parties. One example of this is the 2012 data breach caused by a vendor dumping patient records into a dumpster. The more common scenario is a computer recycling program that doesn’t include a process to ensure the storage devices are properly prepared. ITAD is included in the recent CISA report, ‘Defending Against Software Supply Chain Attacks.’
Misconfigured applications: Applications that have not been secured properly may be accessible to the public or found by malicious bots looking for a target. CVS Health inadvertently exposed 1 billion records to the public through a database that was not password protected. Insight Global exposed the COVID contact tracing records of more than 72,000 Pennsylvanians by neglecting the security protocols defined in the contract with the state Department of Health.
Equipment theft: Storing sensitive data on a workstation is a risk. Storing patient information on a laptop that you leave in your car is just asking for trouble. At an addiction treatment non-profit in Kansas, an estimated 52,076 patients were affected when an employee’s laptop was stolen from his car. The exposed records included names, Social Security numbers, prescription information, and more. A similar incident in Indiana caused a potential breach of more than 200,000 patient records.
Employee error: All employees make mistakes, but some mistakes are much worse than others. For example, 91,000 patient records were exposed when an employee of the Washington State Health Care Authority asked for help with a spreadsheet that contained private health information. An Independence Blue Cross employee accidentally uploaded 16,762 partial patient records to a public-facing website. A Wyoming Department of Health employee accidentally uploaded COVID-19 test data for more than 164,000 people to the department’s GitHub repository.
Other: Employees of Radiology Regional Center recovered over 483,000 paper medical records from the area “around Fowler Street in Fort Myers, Florida.” The records fell off a truck while in transit to an incinerator. In another incident, thousands of Aetna customers received a mailed letter regarding a change in benefits, and the recipient’s HIV status was visible through the window of the envelope.
Record-setting pace of data breaches
HIPAA Journal recently examined over 10 years of records and found that “Hacking/IT Incidents” and “Unauthorized Access/Disclosure Incidents” are currently the primary causes of data breaches at healthcare organizations. The research also showed that between 2009 and 2020, more than 268,189,693 healthcare records were exposed, and the average number of breaches in 2020 was 1.76 per day. It’s important to note, though, that HIPAA Journal only reports on data breaches affecting 500 or more records.
2020 was a record year for healthcare data breaches, but every year except 2015 has been a record year since 2009. To be fair, 2015 does come out on top when it comes to the number of records exposed. More than 113.27 million records were compromised that year, primarily due to three massive health plan data breaches.
Breach numbers have continued to trend upward in 2021. The U.S. healthcare data breach total between January 1 and May 31 is 264, affecting a total of 17,722,372 healthcare records. The current reporting rate has exceeded 2 per day since March.
While ransomware is a growing threat, it’s certainly not the only one that results in data loss. Here are three things to consider as you evaluate your compliance and security strategies:
- Email security. Barracuda offers AI-powered anti-phishing technologies that can stop attacks from getting to the inbox. Data Leak Protection stops critical data from being emailed to outsiders. The Office 365 Email Threat Scanner will reveal any threats that are already in your Office 365 inboxes.
- Application protection. Barracuda Web Application Firewall (WAF) and WAF-as-a-Service can protect your web applications from malicious bots and intrusion attempts. The Barracuda Vulnerability Manager and Remediation Service is a free tool that automates remediation based on the vulnerabilities it detects in a scan. This makes it easy to ensure that your databases are secure and not accessible to the public.
- Data protection. Barracuda Backup protects your data wherever it may reside. Data can be replicated to an offsite location, including an unlimited Barracuda cloud storage destination. Barracuda Cloud-to-Cloud Backup is a SaaS solution that protects Microsoft Teams, Exchange, SharePoint, and OneDrive data. The Barracuda Backup Configurator helps you ensure all your data is covered.
Cybersecurity and data protection technologies can’t fix poorly designed mailing envelopes or stop paper records from falling off a truck. But they can ensure that data is protected from hacking, intrusion, and most accidental data loss. Visit our website to see how we can help your organization remain secure and in compliance.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.