Hacks behind most major healthcare data breaches so far in 2022


Third-party risk management, breach notification, fraud management and cybercrime

Only one other type of violation has been recorded in the federal tally this year

Marianne Kolbasuk McGee (HealthInfoSec) •
February 22, 2022

Hacking incidents still dominate top health data breaches reported to the US Department of Health and Human Services in the first few months of 2022, with only one other type of breach appearing on the federal tally so far this year. .

See also: Third party risk: lessons on Log4j

A Tuesday snapshot of the HHS Office for Civil Rights’ HIPAA Breach Reporting Tool website shows that so far in 2022, 64 reported healthcare data breaches, affecting a total of nearly 3.1 million people, have been posted to the countdown.

The HHS OCR website lists health data breaches affecting 500 or more people.

Types of violation

Of the breaches added to the tally so far in 2022, 50 were reported as IT/hacking incidents affecting approximately 2.97 million people. This means that nearly 80% of breaches posted on the HHS OCR website in 2022 were reported as hacking/computer incidents, and these incidents were responsible for 96% of those affected by breaches so far this year. major health data.

A data exfiltration incident reported by Broward Health as affecting 1.3 million people tops the list of the biggest health data breaches so far this year.

Thirteen breaches reported as “unauthorized access/disclosure” incidents affecting nearly 88,700 people are the only other type of breach added to the tally so far in 2022.

There is only one “theft” incident published on HHS’s tally in 2022 involving unencrypted computing devices. The incident involved protected health information contained on a back-up medical imaging server stolen in a November 2021 burglary reported to HHS on January 14 by South City Hospital in St. Louis Missouri. It affected approximately 21,600 people.

Since 2009, the HHS tally shows some 4,505 reported violations affecting 323.4 million people. The greatest number of people were affected by healthcare data breaches in 2015, when 270 major HIPAA breaches affected a record 112.5 million people. But that included 78.8 million people affected by a single incident – a major cyberattack on health insurer Anthem.

Biggest breaches reported in 2022, so far

So far, the top five breaches posted to the HHS site in 2022 are all computer/hacking incidents affecting a mix of HIPAA-covered entities and business associates. They understand:

  • A hacking incident involving data exfiltration, affecting 1.3 million people, reported on January 2 by the Florida-based North Broward Hospital District, which does business as Broward Health;
  • A ransomware incident, affecting more than 521,000 people, reported on February 1 by Michigan-based Morley Companies Inc., a vendor that provides commercial processing services to health plans;
  • A cyberattack involving the exploitation of a SonicWall product vulnerability, affecting nearly 135,000 people, reported Jan. 7 by the Utah-based Medical Review Institute of America, a vendor that provides clinical reviews and countermeasures. virtual expertise;
  • A hacking incident involving data theft, affecting nearly 134,000 people, reported on Jan. 22 by Massachusetts-based Medical Healthcare Solutions Inc., a medical billing provider;
  • A network hacking incident that appears to involve ransomware, affecting nearly 116,000 people, was reported on February 7 by South Shore Hospital Corp., an Illinois-based community healthcare organization.

Scratched discs

In 2021, a record 714 major health data breaches affecting more than 45.7 million people were reported to HHS (see: Record number of major health data breaches in 2021).

“Insiders know where the gold is, and they often know where the holes in an organization’s security are.”

—Kate Borten, The Marblehead Band

This includes some 526 breaches reported as hacking/IT incidents affecting 43.1 million people. Similar to trends that unfolded in the first few months of 2022, hacking/computer incidents were involved in 73% of all 2021 breaches posted on the HHS website, and they were responsible for approximately 94% of those affected.

These numbers may continue to increase in the coming weeks as HHS OCR officials review and confirm details of additional HIPAA violation reports submitted in late 2021 and post them to the website.

Other Threats

As Covered Entities and Business Associates combat hacking incidents, it is essential that they do not lose sight of the prevention and detection of other types of incidents that also put PHI at risk of compromise. according to some experts.

“Inside threats are particularly high in the healthcare industry, and they are particularly difficult to identify and thwart,” says Kate Borten, president of privacy and security consultancy The Marblehead Group.

“Insiders know where the gold is, and they often know where the holes in an organization’s security are. As a result, an attack can successfully stay under the radar,” she says.

The difficulty is separating normal user activity from inappropriate actions, according to Borten.

“Additionally, in educational and research institutions, a large portion of authorized users are often not direct employees,” she says. This includes medical personnel, students, and researchers, in addition to business associates. “And keeping track of their status is more complicated and error-prone than keeping tabs on employees.”

Keith Fricke, principal consultant at privacy and security consultancy tw-Security, says monitoring the “surface” of their organizations is a challenge for many Covered Entities and Business Associates, especially if they focus on prevention and detection of hacking incidents.

For example, insider incidents have been more common during COVID-19 due to eavesdropping on patient records of co-workers, neighbors and others, he says. “It is difficult for organizations to monitor so many moving parts when it only takes one successful attack to gain unauthorized access to systems or information.”

“Besides spying activity that falls through the cracks, the loss or theft of a personal device, especially smartphones with access to corporate email, can also be missed – or at least delayed detection. IT may not be aware of a missing personal smartphone until the employee contacts IT, requesting that access to the company’s email system be restored.”

To take part

Tom Walsh, president of tw-Security, suggests that to help detect incidents of hacking and other breaches compromising PHI, entities should perform periodic dark web scanning for the organization’s domain name and/or their addresses. Public IPs.

These scans can show whether cybercriminals have released information about the organization, or data that may have been obtained through an attack or data exfiltration, he says.

Walsh also says organizations should consider retaining at least a year of key log data.

Future trends

Fricke says hacking breaches will continue, particularly incidents involving servers, which tend to store large amounts of sensitive information.

Of the 50 computer/hacking incidents reported on the HHS count so far in 2022, 35 breaches – or 70% – were reported to involve servers as the “location” of the breach. The others were flagged as involving email as the “location” of the breach.


Comments are closed.