ThreatList: Healthcare Breaches Spike in October

38 million consumer health records have been exposed so far in 2019.

October experienced a 44.44 percent month-over-month increase in healthcare data breaches, resulting in 661,830 healthcare records exposed or stolen during the month.

That’s according to the Health and Human Services (HHS) Office for Civil Rights’ monthly report reported via HIPAA Journal. The department said that hospitals and other healthcare organizations reported 52 breaches to HHS during the month. Year-to-date, the total number of breached healthcare records stands at 38 million, affecting 11.64 percent of the population of the United States.

The three most notable breaches of the month, according to the report, were all a result of cyberattacks and hacking. These breaches include Betty Jean Kerr People’s Health Centers (152,000 records exposed as a result of a ransomware attack); Kalispell Regional Healthcare (140,209 records thanks to a phishing effort); and the Methodist Hospitals (68,039 records also phishing).

There was also a breach at Texas Health Resources thanks to a mailing error, which involved a total of 82,577 records. This was reported as 15 separate breaches for each of its affected facilities.

In total, HHS said that there were 18 hacking/IT incidents reported in October involving 501,847 healthcare records; 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records; and five loss/theft incidents involving 13,454 records. Also, one improper disposal incident was reported involving 11,754 records.

“It’s not that there is a lack of data protection tools and procedures,” said Javvad Malik, security awareness advocate at KnowBe4, told Threatpost. “Encryption, multi-factor authentication, data access models and such all exist.”

He added, “broadly speaking this is a cultural issue, where medical institutes by and large do not consider security requirements, and do not drill in security through every role. Until we see cybersecurity being embedded into the culture of healthcare organizations in the same way that we try to combat the spread of germs with constant reminders and availability of anti-bacterial hand wash, we will continue to see breaches occur.”

The “other” category encompasses Texas Health’s 15 mailing error incidents and four others.

In all, October saw healthcare organizations and business associates in 24 states report data breaches (Texas’ 15 accounting for most of them).

“Healthcare information is some of the most sensitive of personal information. While it is important to have healthcare information readily available to medical professionals, care needs to be taken that the information is not made available to criminals trying to gain access,” Malik said.

And indeed, medical-related information is valuable to cybercriminals, who can use personal and demographic information, financial statements, health details and insurance information for identity theft, insurance fraud, financial gain or even blackmail, according to Don Duncan, security engineer for NuData Security.

“With healthcare information, cybercriminals can pose as doctors and patients to put in false claims or even change the records of patients,” he recently told Threatpost. “This poses a severe danger to patients’ health and to their pocketbooks. Additionally, there is no mechanism in place to address records that have been altered.”

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure”┬áto hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

Suggested articles