- Health data breaches are clearly not going away anytime soon, as 2015 has proven itself to consist of some of the largest breaches and hacking incidents on record.
The Anthem data breach and Premera Blue Cross breach are the largest data breaches currently listed in the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) database, with approximately 90 million individuals affected by the two health data breaches. Both incidents were caused by a cyber attack and took place earlier this year. However, the majority of health data breaches through today’s date were caused by either a hacking or IT incident, according to OCR.
There have been 92 incidents reported to HHS between Jan. 1, 2015 and May 6, 2015. Of those, 30 were classified as being caused by either a hacking or IT incident. The rest of the classification breakdown is as follows:
- 27 - unauthorized access/disclosure
- 22 - theft
- 10 - loss
- 3 - improper disposal
This trend continues one that HealthITSecurity.com previously reported on this year, with the largest six data breaches for 2015 all reportedly being caused by a hacking or IT incident. There has been a definite shift over the last several years when it comes to health data breaches.
For example, by widening the OCR search to include incidents from Jan. 1, 2010 up to today’s date, two of the top five largest breaches were reported as a hacking or IT incident. The next three were linked to either the loss or theft of a network server, desktop computer, or other such device. The top five health data breaches in that time frame were:
When: March 13, 2015
Affected Individuals: 78.8 million
Cause: Hacking/IT Incident
Premera Blue Cross
When: March 17, 2015
Affected Individuals: 11 million
Cause: Hacking/IT Incident
Science Applications International Corporation
When: November, 4, 2011
Affected Individuals: 4.9 million
Community Health Systems Professional Services Corporation
When: August 20, 2014
Affected Individuals: 4.5 million
Cause: Theft, Network Server
Advocate Health and Hospitals Corporation
When: August 23, 2013
Affected Individuals: 4,029,530
Cause: Theft, Desktop Computer
The Journal of the American Medical Association (JAMA) recently reported on this trend as well, showing in research that hacking increased from 12 percent to 27 percent of incidents from 2010 to 2013.
David Blumenthal, MD, MPP, and Deven McGraw, JD, LLM, MPH, wrote an editorial accompanying the JAMA study, and said that both policy makers and providers must ensure that they are practicing “good data hygiene.”
“They neglect to implement basic precautions such as encrypting health data, prohibiting the storage of personal information on employees’ personal electronic devices (which are vulnerable to loss and theft), and using sound practices for authenticating authorized users,” Blumenthal and McGraw wrote, adding that HIPAA regulations have gaps in what it can protect.
For example, the federal rules do not state how PHI should be regulated by technical companies like Apple, Google, and Facebook.
“The fact that HIPAA regulates only certain entities that hold health data, rather than regulating health data wherever those data reside, seems illogical in today’s digital world,” the duo said. “Beyond the adequacy of HIPAA, the security of the nation’s health information systems is inextricably linked to the ability to fend off cyber threats more generally. National policy on this larger question remains nascent.”
That “nascent” attitude could soon change though, as several variations on a national data breach notification bill are making their way through the legislative process. One of the more recent proposals is called the Consumer Privacy Protection Act, and would allow states to keep their own notification laws if they have more strict policies already in place. The legislation also includes medical and health information in types of data that individuals would need to be notified about should it be compromised.