2016: Healthcare data breaches in review, Part 1

There were a number of year-in-review analyses for the healthcare sector, but now Protenus has released its report, which is based on analyses of 450 U.S. incidents first disclosed in 2016. The incidents were compiled by DataBreaches.net, who also provided some of the analyses.

While some media outlets still headline external hacks where massive numbers of records are involved, Protenus’s report shines a brighter light on why covered entities need to pay greater attention to, and allocate more resources to, preventing and detecting insider breaches and business associate or third-party breaches.

To demonstrate how media headlines may over-focus on hacks and under-report the insider factors or third-party factors, let’s review the “top 12” list for 2016 based on number of records or patients.

1. Unnamed vendor for health plan: 10,300,000 records. No one ever admitted that they were the owner of this hacked database and the data were old, but according to the hacker, it was a vendor’s insurance leads file for a major health insurer. Many outlets don’t seem to even know about this incident and consider the Banner incident the largest of the year.

2. Banner Health: 3,620,000 patients. Banner announced that on July 7, it discovered its payment card system at food and beverage outlets had been hacked. On July 13, they learned that the hacker(s) might have also gained access to protected health information (PHI).

3. Newkirk Products: 3,466,120 health plan members.  Newkirk Products is a service provider that issues healthcare ID cards for health insurance plans. On July 6, they detected that a server may have been hacked.

4. 21^st Century Oncology: 2,213,597 patients. 21st Century Oncology, which operates 181 treatment centers, announced it was investigating a hack of their network that they first learned about from the government in November, 2015.

5. Valley Anesthesiology and Pain Consultants: 882,590 patients. On June 13, 2016, Valley Anesthesiology and Pain Consultants (VAPC) learned that a third party may have gained unauthorized access to VAPC computer systems on March 30, 2016.

6. Los Angeles County: 756,000. It was a great day for a phisher and a bad day for Los Angeles County residents. More than 750,000 people had their PII or PHI stolen.

7. Bon Secours Health System: 651,971 patients. On June 14, 2016, Bon Secours discovered that files containing patient information had accidentally been left accessible via the internet after one of their vendors, R-C Healthcare Management, misconfigured network settings.

8. Peachtree Orthopaedic Clinic: 531,000 patients. On October 13, Peachtree issued a public statement that on September 22, they had confirmed a hack. Although not in their disclosure/press release, an employee had told me in August that they were investigating a potential breach involving one of their vendors – and it was the same vendor presumably linked to other hacks by TheDarkOverlord. That was never confirmed by Peachtree, however.

9. Radiology Regional Center: 483,063 patients.  Radiology Regional Center announced that on December 19, 2015, its records disposal vendor, Lee County Solid Waste Division, informed it that paper records containing the personal information of the center’s patients blew off the truck while the records were being transported to an incineration site. Despite diligent efforts to retrieve all the records, because the center couldn’t be sure it had recovered everyone’s records, they sent notifications to everyone.

10. California Correctional Health Care Services: 400,000 patients. In July, California Correctional Center found themselves in the same situation as Radiology Regional Center: having to notify everyone because they were not sure who needed to be notified. In this case, on June 19, 2013, dental records were reported missing from a California Correctional Health Care Services staff member’s possession while off the premises of a correctional institution.

11. Community Health Plan of Washington: 400,000 patients. CHPW described the information in a way that made it sound like a hack of their business associate/claims processor, Transaction Applications Group Inc., doing business as NTT Data. But Justin Shafer publicly announced that he had found that their FTP server had not been secured and was allowing anyone and everyone to access and download files with no login required.

12. Central Ohio Urology Group: 300,000 patients. On August 2, a pro-Ukrainian hacktivist announced that he had hacked and dumped Central Ohio’s databases, presumably to send a warning to the U.S.

Nine of the 12 largest incidents were announced or described as hacks.  And as Protenus reported, we found that 87% of all breached records were associated with incidents that were coded as “hacks.” But did you notice that 6 of the 12 largest incidents above involved third parties and that 5 out of the 12 largest incidents involved human error? Is there anything we can – and should – learn from those observations?

I think there is, so please follow me to Part 2 of this post.