Third Party Risk Management, Breach Notification, Critical Infrastructure Security
Analysis: Federal tally shows breaches increase every year, hacks dominating
Marianne Kolbasuk McGee (HealthInfoSec) •
January 17, 2022
In the midst of global COVID-19 pandemic, the federal tally shows that a record number of major healthcare data breaches were reported in the United States in 2021, and the vast majority of them involved hacking incidents.
See also: Live chat today | Improve your data security posture to speed up ransomware recoveries
On Monday, the Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows some 713 major health data breaches affecting more than 45.7 million people published for 2021.
These numbers may continue to rise in the coming weeks as HHS Civil Rights Office officials review and confirm details of additional HIPAA violation reports submitted in late 2021 and post them to the website.
While the number of major health data breaches reported to HHS in 2021 exceeds previous years, the number of health data breaches reported in at least the past five years has steadily increased each year.
The 45.7 million individuals affected in 2021 by major health data breaches are not, however, the record number affected in a year.
The greatest number of people were affected by healthcare data breaches in 2015, when 270 major HIPAA breaches affected a record 112.5 million people. But that included 78.8 million people affected by a single incident – a major cyberattack on health insurer Anthem.
This incident, which was detected in late 2014 but reported to HHS by Anthem in February 2015, is by far the largest health data breach reported to date.
Since 2009, the HHS OCR website shows some 4,444 major health data breaches affecting nearly 321 million people. In recent years, this includes:
- 663 flaws affecting more than 34 million people in 2020;
- 512 faults affecting 42.3 million people in 2019;
- 369 breaches affecting 14.4 million people in 2018;
- 358 faults affecting nearly 5.3 million people in 2017;
- 329 breaches affecting 16.7 million people in 2016;
- 270 breaches affecting 112.5 million people in 2015, including record-breaking Anthem hack incident.
The HHS website shows that 7.6% of major HIPAA violations were reported in 2021 compared to 2020, and that there were 34.4% more people affected by these incidents in 2021 compared to 2020.
Breach Trends 2021
Hacking/computer incidents were by far the most prevalent type of health data breach on the HHS website in 2021, in a trend that has grown in recent years.
As of Monday morning, the HHS website listed 526 major HIPAA violations reported as hacking/computer incidents affecting 43.1 million people reported in 2021. This means hacking/computer incidents were involved in 73% of all 2021 violations posted on the HHS website so far, but these incidents were responsible for approximately 94% of those affected.
Some 147 “unauthorized access/disclosure” breaches affected more than 2.2 million people in 2021. This represents about 20% of total breaches and about 4.8% of people affected in 2021.
Only 16 loss/theft violations involving unencrypted computing devices — such as laptops and mobile storage equipment — were posted on the HHS website in 2021. These incidents, which were the top source of significant breaches of health data in past years, affected less than 100,000 people. in 2021.
Business associates were reported to be involved in 251 breaches affecting 21.3 million people in 2021. This means that vendors and other business associates handling protected health information were implicated in approximately 35% of all major breaches of HIPAA in 2021. These business associate-related incidents affected approximately 46% of all those impacted last year by major health data breaches.
10 biggest healthcare data breaches in 2021
|Violated entity||Persons concerned|
|Florida Healthy Kids Corp.||3.5 million|
|20/20 Eye Care Network||3.2 million|
|Cutting-edge dermatology||2.4 million|
|Eskenazi Health||1.5 million|
|The Kroger Company.||1.47 million|
|St. Joseph’s/Candler Health System||1.4 million|
|Southern Nevada University Medical Center||1.3 million|
|American anesthesiology||1.27 million|
|Practicefirst Medical Management Solutions||1.2 million|
2022 Trends So Far
On Monday, the HHS OCR website showed five major breaches affecting 1.6 million people posted so far in 2022.
Each of these breaches was reported as a hacking/computer incident, as were the top 10 breaches posted on the HHS site in 2021.
So far in 2022, the largest breach posted on the HHS site was reported on Jan. 2 by Fort Lauderdale, Fla.-based Broward Health. This hacking incident, which happened in October and involved data exfiltration, affected 1.3 million people.
Some experts don’t expect the growing number of reported health data breaches — and the growing number of people affected — to diminish any time soon.
“Breaches will increase as businesses continue to automate more. Data is the new currency of the cyber world,” says Tom Walsh, founder of privacy and security consultancy tw-Security.
But it’s not just a healthcare industry problem, some experts note.
“I guess the number of violations in all sectors has increased. [This] goes hand in hand with the global nature of e-commerce, security and crime. And the pandemic is exacerbating all of that,” says Kate Borten, president of privacy and security consultancy The Marblehead Group.
Hacking incidents in particular will continue to plague the healthcare industry, Walsh said. “Hackers have stepped up their efforts. With the new tools available, it’s even easier for someone with basic experience to launch a more sophisticated attack,” he says.
Walsh says hackers previously had to be technically proficient in operating systems and software to successfully launch an attack, but now software-as-a-service tools and tools using artificial intelligence make it easier for novice hackers. .
At the same time, “the pandemic seems to have spawned more scams, taking advantage of people working from home where they are connected 24/7,” Borten says. She says working from home and combining work and personal activities throughout the day and night can weaken individuals’ attention to good safety practices.
Walsh says many organizations have become more diligent about dealing with the risks of working from home.
“The home office environment may not be as secure as the work environment. However, in my experience, while in 2020 companies have hastily returned the majority of their hand In 2021, efforts have been made to further strengthen security defenses for those working from home.”
Meanwhile, the surge in ransomware attacks has created the need for Covered Entities and Business Associates to modify their defense strategies and recovery procedures, he says.
“The types of breaches caused by ransomware appear to have shifted from an inconvenience of data availability – encrypted data being held for ransom – to data exfiltration with threats of data being released onto the dark web if the ransom is not wasn’t paid,” Walsh says, and adds that data exfiltration “requires a totally different response strategy.”