First half of 2021 marks record high for healthcare data breaches

Healthcare providers, insurers and their business associates have already reported 360 data breaches to the federal government in the first half of 2021—outpacing the same period for all previous years.

Those 360 breaches exposed data on nearly 23 million patients, according to data from HHS' Office for Civil Rights, which began maintaining a database of healthcare data breaches in 2010. Last year, organizations reported 270 breaches of 8 million patients' data in the first six months of the year; in 2019, around 230 breaches that exposed data on 11.2 million patients.

Not all of those breaches represent hacks against an organization, noted Michael Hamilton, chief information security officer at cybersecurity consulting firm Critical Insight.

Breaches attributed to "hacking/IT incidents" accounted for roughly 70% of reports so far this year, which can include intrusions from hackers, as well as incidents in which an IT system is configured in a way that accidentally exposes data. The remaining breaches in the first half of the year resulted from theft, loss, improper disposal and unauthorized access or disclosure.

That isn't to say hacks aren't a problem in healthcare, Hamilton said. A second-quarter report from the not-for-profit Identity Theft Resource Center found that incidents where data were actually compromised by hackers were up 38% quarter-over-quarter across all industries.

Healthcare ranked as the No. 1 industry for data compromise in the report, with 162 incidents reported in the first half of 2021.

Five data breaches reported to OCR in the first half of 2021 compromised data on more than 1 million patients each.

The largest breach reported involved a hack at a vendor that worked with insurer Florida Healthy Kids Corp. The hack took place on the company's web hosting platform, according to the insurer, which could have exposed information on an estimated 3.5 million people who applied for or were enrolled in the insurer's coverage from November 2013 until December 2020.

Florida Healthy Kids, which reported the incident in January, said it was notified about the breach in December.

HHS gives HIPAA-covered entities 60 days from when they discover a data breach to notify the department, so some of the incidents reported to OCR so far this year were discovered in late 2020 and may have taken place even earlier.

The insurer said the street addresses of a several thousand people—a subset of the 3.5 million people reported to OCR—who applied for the insurer's Florida KidCare coverage online had been "inappropriately accessed and tampered with" by hackers. Other information seemingly hadn't been altered.

Florida Healthy Kids marks one of the latest examples of a healthcare organization having to notify patients of data exposure after a breach at a third-party company. Kroger Co. since February has notified thousands of patients who shared data with the company's healthcare arm about a massive breach at Accellion, a company it contracted with for file transfer services.

Many organizations also reported hacks against their own systems, including major breaches at 20/20 Eye Care Network, CaptureRx and American Anesthesiology. In some cases, hackers not only accessed, but actually removed data from organizations' systems.

Hamilton warned of a newer trend in ransomware, in which hackers won't encrypt data or a hospital's network while demanding money in exchange for a decryption key—instead, hackers are increasingly removing patient records from a hospital's system and threatening to publicly release or sell them if the organization doesn't pay.

The American Hospital Association in the spring called on the federal government to play a bigger role in responding to ransomware attacks against the healthcare industry, urging for a "coordinated campaign" against ransomware gangs, many of which operate outside of the U.S.

Steps like implementing multi-factor authentication, monitoring what devices are connected to an organizations's network, restricting sites employees can use on company computers—like personal email or Facebook, both avenues where hackers can send phishing messages—and regularly backing up data can help hospitals protect themselves against breaches.

Given the prevalence of ransomware and other cyberattacks, hospitals and their staffers should be prepared and taking preventive measures, even if they haven't been hit by malware in the past, said Maya Levine, technical marketing engineer for cloud security at cybersecurity company Check Point Software Technologies.

"Operate under the assumption that 'we will have a ransomware attack at some point,'" she said. "Ransomware attacks are disruptive for every industry," but in healthcare, "people's lives are … at stake."