Health Data Breaches in 2017: The Year in Review

Protenus, Inc. has released its 2017 review of breaches involving health data. It is the second annual review they have published since we began collaborating on data collection and analyses.

As a reminder of last year’s major findings:  Protenus reported that  in 2016, insider incidents constituted approximately 43% of the 450 incidents we had compiled from multiple sources, but only accounted for a relatively small percentage of breached records (7%). Hacking incidents, while accounting for only about one fourth of all incidents (27%), accounted for 87% of breached records.  Protenus had also reported that:

• Insider-error accounted for more breached records per incident than willful insider-wrongdoing;
• Insider-wrongdoing incidents took almost twice as long to detect as insider-error incidents; and
• Overall, breaches took 233 days to discover and 344 days to report or disclose publicly.

So what happened?  What did 2017 look like?

Overview of 2017 Data

The total number of incidents was comparable in 2016 and 2017. We had 450 incidents for 2016 (although another 12 came in later), and 477 for 2017. Based on 407 incidents disclosed in 2017 and for which we had sufficient data:

• There were 5,579,438  breached records in 2017, compared to 27,314,647 records for 2016;
• The largest health data breach reported in  2017 was 697,800 records involved in an insider-wrongdoing incident.  In 2016, the largest incident Protenus reported was a hacking incident affecting  3.62 million records (although there was actually a much larger incident, but it was never confirmed by any entity);
• For the 220 health data breaches for which we had sufficient data in 2017, it took an average of 73 days for organizations to report a breach to HHS after it was discovered. That is a significant improvement compared to the 344 days it took in 2016.

Insider Incidents

• There were 176 insider incidents in 2017, compared to 192 last year, with 1,682,836 patient records affected in 2017;
• Insider incidents accounted for  37% of all incidents we compiled for 2017;
• Insider-error incidents accounted for 102 incidents and 785,281 patient records for 86 incidents for which we had numbers;
• Insider-wrongdoing incidents accounted for 70 incidents and  893,978 records for 57 incidents for which we had numbers;
• Insider incidents took longer to discover than hacks or external events. In fact,  for all months, the longest gap to discovery was an insider incident (for seven months, the longest gaps involved insider-wrongdoing incidents; for five months, the longest gaps were insider-error incidents).
• There was no evidence of any significant improvement in time to detect insider breaches. In fact, the average gap from breach to detection was longer in 2017 than in 2016, possibly due to improved detection of some very old breaches that had not been detected until now.
• Breaches involving insider incidents tended to be reported more quickly to HHS OCR than hacking incidents.

Note that reports of insider-error incidents for 2017 once again included incidents where entities or their vendors misconfigured backup databases or devices. By now, there have been numerous reports on the problem and free resources to help entities get their configurations correct, and yet…… researchers continue to find exposed patient data. Thankfully, many either let the entities know or ask me to help notify the entities so that they can secure the data.

That said, one particular type of insider misconfiguration error may be significantly under-represented in our 2017 data set. In March, 2017, the FBI issued a Private Industry Notification warning entities to check their FTP servers to ensure that they were adequately secured. The PIN was very confusing, as it cited to not a single known incident where any threat actor had found exposed data on a public FTP server and then tried to extort the entity, although the PIN claimed this was happening.

In fact, the arrest of researcher Justin Shafer in April, 2017 essentially called a halt to our awareness of all of the misconfigured FTP servers exposing patient data because to my knowledge, Shafer was pretty much the only researcher who was devoting time to uncovering leaking FTP servers by using particular search engines and keywords or strings. Had he remained able to continue his research, we likely would have had at least one or two dozen more reports of  data leaks.  Hopefully, once Shafer’s legal problems are resolved, he will resume his helpful research.

While we lost the benefit of Shafer’s research for most of 2017, we likely did make some progress due to bug bounty programs (see HackerOne‘s roundup and optimistic commentary). Due to bug bounty programs, we may not find out about some data leaks that never get reported to HHS OCR.

Hacking/External Incidents

• We recorded 178 hacking incidents in 2017, with numbers for 144 of those incidents, totalling 3,436,742 patient records. Those figures represent significantly more hacking reports in 2017 than in 2016, but significantly fewer breached records;
• In 2016, 30 of the hacking incidents involved ransomware. In 2017, 54 incidents specifically mentioned ransomware and 10 other incidents reported “malware.” This is a larger number than that reported by Cryptonite in their recent report on the significant upsurge in ransomware, but their report was confined to incidents on HHS’s breach tool.

In actuality, the ransomware situation is likely even more dire than Cryptonite’s report or our 2017 data might suggest. Ransomware such as SamSam, which was first sighted in the healthcare sector at the end of 2016, does not necessarily lock up or target patient records, but can be configured to attack hospital functions and operating systems. A hospital’s overall ability to function and to deliver care and access patient records may come to a screeching halt in an incident that might never get reported to HHS because patient records were not directly accessed or exfiltrated.  Recent incidents reported by Hancock Regional and Adams Memorial demonstrate the potential impact.

While ransomware remains a major and even increasing threat to healthcare entities, we would be remiss to neglect other external threats such as theft (58 incidents in 2017, affecting more than 215,000 records), and phishing.  That devices with unencrypted patient information are still being stolen from unattended employee vehicles is disheartening and yes, infuriating. But email-based attacks are an even bigger threat than theft, and are difficult to totally prevent. Even with well-designed employee training, some phishing attacks are quite sophisticated  and many small-medium entities may not have the tools to block employees from clicking on links. A recent Modern Healthcare article discusses the phishing/email problem in more detail.

Apart from ransomware, there’s also extortion as an external threat.   In 2016, we first saw TheDarkOverlord (TDO) attempt to extort victim clinics or medical entities, demanding outrageously high amounts of BTC if the victims didn’t want them to dump or sell patients’ protected health information. In 2017, TDO continued hacking medical entities, but they did not publicize all of their attacks. DataBreaches.net was made aware of other hacks of theirs involving healthcare entities that have never been reported nor disclosed publicly and are not included in our 2017 analyses.

Of note, in 2017, TDO also expanded their attacks to include some public schools. Public schools often contain a wealth of highly sensitive personal, medical, and health insurance information.  In an encrypted chat with DataBreaches.net, TDO claimed that that’s exactly what they went after – counseling and nursing records (although they claim they also acquired other types of data, too).

In response to TDO’s attacks on a few school districts, the U.S. Department of Education issued an alert to schools.

One of the surprises, perhaps, in the 2017 data was the relatively smaller number of business associate incidents than we might expect to see.  Only 66 reports mentioned business reports, and for the 53 of those for which we had numbers, 647,198 records were involved. I continue to think that we are seriously under-collecting and under-reporting the problem with third-party vendors and business associates because of the way HHS’s reporting form is structured. I would love to see them revise their reporting form and would happily help them with creating what I think might be more helpful fields/options.

Looking Ahead

Okay,  I’ll dust off my crystal ball and try to make a few predictions for 2018. Put absolutely no stock in these predictions, as I am not a security professional:

1. Things will get worse. I’m pretty confident about this one.  Unless you give me chocolate, in which case the outlook might improve.
2. There will be more ransomware reports in 2018 than in 2017, and there will be many more that never get reported to HHS. Some entities will continue to pay ransom because restoring from backups may take too long if the hospital’s services are interrupted.
3. Threat actors will think smaller in 2018:  they will hit smaller entities and hit them for smaller ransoms.  It’s the “We’ll make it up in volume” mentality.  We’ve already seen it in the ransacking of databases last year and some SamSam attacks recently. Because they have fewer resources, smaller entities may be particularly devastated by a breach, as we saw with a mental health clinic in Maine that reportedly folded after all its patient records were hacked and sold on the dark web.
4. There will be less enforcement action by HHS OCR.  Some state attorneys general will try to pick up the slack to protect their residents, but states will not hit entities with penalties as large as HHS OCR would.

You can access Protenus’s full report here.  Obviously, they are not responsible for my opinions or my predictions. They have enough problems without taking responsibility for me.

Here’s wishing for a better year for us all in 2018, and thanks to all of you who encourage me and support my efforts to keep compiling data on breaches involving health data.