Analysis of August healthcare breaches highlights hacking incidents

Posted on by Dissent

Protenus’s Breach Barometer for August notes that hacking incidents accounted for 54.5% of the health data breaches disclosed in August and  95% of the 673,934 breached records for August incidents. Also of note:

Extortion demands and non-automated ransom demands also continue to plague the healthcare industry, although in many cases, media reports and HHS reports make no mention of the extortion component.

It is a point I have repeatedly tried to make, and I thank Protenus for including it in their report.  We have no idea how prevalent the problem really is due to lack of mandated reporting of extortion attempts and transparency. In August, for example, two entities reported breaches to HHS that I know involved extortion demands. One was a victim of TheDarkOverlord, and I reported that case on this site. But if you didn’t know that from this site, you wouldn’t know it from HHS’s tool. Nor could you even know that there were at least two such reports for the month or whether the two extortion incidents involved the same threat actor or different threat actors, and you wouldn’t know – and I don’t know – how many other incidents reported in August involved extortion demands.

Unfortunately, although HHS has issued guidance on ransomware and guidelines for reporting ransomware incidents, they offer no similar kind of guidance on whether extortion demands need to be reported to HHS as such and/or disclosed to patients as such. Nor do they provide any advice about what entities should do if they receive an extortion demand. Should they engage with the attacker? Should they pay? What does HHS recommend entities do if attackers prove to you that they’ve acquired your patients’ PHI and are threatening to dump it all publicly or sell it on the dark web?

The 33 incidents used for  Protenus’s August report are the ones listed below. You can find reports for many of these on this site by using the search function and inputting the entity’s name:

  • Aetna
  • Anesthesia Consultants of Fresno
  • Ashley Hall
  • Bluetail Medical Group
  • City of Hope
  • CVS Caremark
  • Daniel Drake Center for Post-Acute Care
  • Elderplan
  • Institute for Women’s Health
  • Kaiser Permanente – Riverside
  • Kaleida Health
  • McLaren Medical Group (Mid-Michigan Physicians)
  • MDeverywhere, Inc. and Continuum Health Alliance
  • Medical Oncology Hematology Consultants,PA
  • Mercy Hospital Logan County
  • MJHS Home Care
  • National DCP Health Plan
  • New Canaan residential treatment facility= Waveny
  • Northeast OB/GYN Associates
  • Oncology Consultants, P.A.
  • Pacific Alliance Medical Center
  • Salina Family Healthcare Center
  • Salina Family Healthcare Center
  • Silver Cross Hospital
  • South Bend Orthopaedic Associates Inc
  • Spectrum Health – Helen DeVos Children’s Hospital
  • Sport and Spine Rehab
  • Mark’s Surgical Center
  • Surgical Dermatology Group
  • TriPoint Medical Center
  • Vermont Medical Center
  • Waco Otolaryngology Associates d/b/a Waco Ear, Nose, & Throat
  • WellCare Health Plans, Inc.

 

Category: Breach IncidentsCommentaries and AnalysesHealth Data