The five biggest 2014 health data breaches listed on the federal tally so far demonstrate that security incidents are stemming from a variety of causes, from hacker attacks to missteps by business associates.
The top breaches offer important lessons that go beyond the usual message about the importance of encrypting laptops and other computing devices to prevent breaches involving lost or stolen devices, still the most common cause of incidents. They also highlight the need to bolster protection of networks and to carefully monitor the security practices of business associates.
The Department of Health and Human Services' Office for Civil Rights adds breaches to its "wall of shame" tally of incidents affecting 500 or more individuals as it confirms the details. A snapshot of the federal tally on Dec. 22 shows that 1,186 major breaches impacting a total of nearly 41.3 million individuals have occurred since the HIPAA breach notification rule went into effect in September 2009.
According to the tally, the top five health data breaches in 2014 affected a combined total of nearly 7.4 million individuals.
The largest breach in 2014 was the hacking attack on Community Health System, which affected 4.5 million individuals. In that incident, forensic experts believe an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the hospital chain's systems.
The Community Health Systems incident is also the second largest health data breach since the enactment of the HIPAA data breach notification rule in 2009. The largest breach is a 2011 incident involving TRICARE, the military health program, and its contractor, Science Applications International Corp., which affected 4.9 million individuals.Business Associate Troubles
The second largest HIPAA incident in 2014 implicated a business associate. That breach, affecting 2 million individuals, involved an ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, which had provided administrative services for the Texas Medicaid program. The breach arose when the state ended its contract with Xerox. The vendor allegedly failed to turn over to the state computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals.
However, in September, following a court hearing, the state and Xerox reached an agreed order for the vendor to retain the disputed documents and data until a hearing in January. Texas HHSC in a statement tells Information Security Media Group that the state "believes there was a low risk that client information was compromised and that the information will be protected" by Xerox as the court case continues.
Another top five health data breach in 2014 involved both a business associate and a more familiar culprit - stolen unencrypted computing devices. That Feb. 5 incident involved a vendor that provided patient billing and collection services to the Los Angeles County departments of health services and public health. The theft of eight unencrypted desktop computers from an office of Sutherland Healthcare Services - L.A. County's vendor - affected more than 342,000 individuals, the federal tally shows. Initially, that breach was believed to have impacted about 168,000 individuals, but the figure was subsequently revised.Unsecure Files
The fourth largest 2014 breach on the federal tally involved Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services, which became aware in May "that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the Internet. The breach affected more than 307,000 patients.
The fifth largest breach of the year occurred at the Indian Health Services, an HHS agency. That incident, which affected 214,000 individuals, involved an unauthorized access or disclosure involving a laptop computer, according to the tally.Shifting Trends
The largest health data breaches in 2014 highlight some shifting trends compared with previous years.
"In our opinion, hacker attacks are likely to increase in frequency over the next few years," says Dan Berger, CEO of security services firm Redspin. "Personal health records are high value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes." That trend puts a spotlight in the need to do comprehensive penetration testing, as well as taking other steps to bolster security, he says. "If I was a hospital executive ... I'd want to know the most likely means by which a hacker can break in."
Nonetheless, while incidents involving hackers in the healthcare sector appear to be on an uptick, insiders still pose the biggest threat to most entities, says Michael Bruemmer, vice president of Experian Data Breach Resolutions.
"Of all the incidents we service, regardless of the vertical [market], 80 percent of the root cause is employee negligence," he says. That includes such mistakes as losing laptops or clicking on a phishing e-mails. "Employees are still the weakest link," he says in a recent interview with Information Security Media Group, calling for the ramping up job-specific privacy and security training.
Meanwhile, incidents such as the Texas Medicaid/Xerox breach also highlight the need for organizations to bring more scrutiny to their business associate relationships. Business associates, as well as their subcontractors, are directly liable for HIPAA compliance under the HIPAA Omnibus Rule that went into effect in 2013.
The breach tally also illustrates the need for HIPAA covered entities and business associates alike to strengthen their security risk management programs.
"The data tells us that a HIPAA security risk analysis, while mandatory, is necessary but not sufficient. The remediation plan is even more important," Berger says.
"Too often healthcare organizations do not allocate enough resources to fix the problems identified in the risk analysis. We also see a need for more frequent vulnerability analysis, Web application assessments and social engineering testing. Stated another way, the healthcare information security programs need to mature."