Five data breaches reported to OCR in the first half of 2021 compromised data on more than 1 million patients each.
The largest breach reported involved a hack at a vendor that worked with insurer Florida Healthy Kids Corp. The hack took place on the company's web hosting platform, according to the insurer, which could have exposed information on an estimated 3.5 million people who applied for or were enrolled in the insurer's coverage from November 2013 until December 2020.
Florida Healthy Kids, which reported the incident in January, said it was notified about the breach in December.
HHS gives HIPAA-covered entities 60 days from when they discover a data breach to notify the department, so some of the incidents reported to OCR so far this year were discovered in late 2020 and may have taken place even earlier.
The insurer said the street addresses of a several thousand people—a subset of the 3.5 million people reported to OCR—who applied for the insurer's Florida KidCare coverage online had been "inappropriately accessed and tampered with" by hackers. Other information seemingly hadn't been altered.
Florida Healthy Kids marks one of the latest examples of a healthcare organization having to notify patients of data exposure after a breach at a third-party company. Kroger Co. since February has notified thousands of patients who shared data with the company's healthcare arm about a massive breach at Accellion, a company it contracted with for file transfer services.
Many organizations also reported hacks against their own systems, including major breaches at 20/20 Eye Care Network, CaptureRx and American Anesthesiology. In some cases, hackers not only accessed, but actually removed data from organizations' systems.
Hamilton warned of a newer trend in ransomware, in which hackers won't encrypt data or a hospital's network while demanding money in exchange for a decryption key—instead, hackers are increasingly removing patient records from a hospital's system and threatening to publicly release or sell them if the organization doesn't pay.
The American Hospital Association in the spring called on the federal government to play a bigger role in responding to ransomware attacks against the healthcare industry, urging for a "coordinated campaign" against ransomware gangs, many of which operate outside of the U.S.
Steps like implementing multi-factor authentication, monitoring what devices are connected to an organizations's network, restricting sites employees can use on company computers—like personal email or Facebook, both avenues where hackers can send phishing messages—and regularly backing up data can help hospitals protect themselves against breaches.
Given the prevalence of ransomware and other cyberattacks, hospitals and their staffers should be prepared and taking preventive measures, even if they haven't been hit by malware in the past, said Maya Levine, technical marketing engineer for cloud security at cybersecurity company Check Point Software Technologies.
"Operate under the assumption that 'we will have a ransomware attack at some point,'" she said. "Ransomware attacks are disruptive for every industry," but in healthcare, "people's lives are … at stake."