Recent HIPAA Breaches Highlight Need for Providers to Remain Vigilant
A recent disclosure by Community Health Systems, Inc. (CHS) of a data breach compromising information pertaining to 4.5 million of its patients highlights the need for providers to remain vigilant in securing patient information. The breach at CHS is just one example among others that have occurred recently involving many individuals. Health care providers may want to take this time to review and update their policies as necessary to address emerging threats and vulnerabilities to their systems.
Recent breaches of data held by health care providers
CHS is a health system whose affiliates own, operate or lease 206 hospitals in 29 states. As reported by CHS in a filing with the Securities and Exchange Commission (SEC), the breach resulted from a targeted, external cyber-attack of CHS’s computer network in April and June, 2014. CHS believes the attacks originated from China and involved "highly sophisticated malware and technology" that enabled the attacker to bypass CHS’s security measures. The breaches were the result of an advanced persistent threat, or "APT," in which an attacker uses multiple phases, typically over a long period of time, to conduct reconnaissance of a target; break into a network, often by using social engineering; map an organization’s assets and defenses; access, capture, and exfiltrate information; and potentially install malware. According to the SEC filing, the attackers were able to copy and transfer data, including patient names, addresses, birth dates, and Social Security numbers, to networks outside of CHS. The attackers did not acquire credit card numbers or any medical or clinical information. CHS indicated it will offer credit monitoring to affected individuals and that it has liability insurance to protect against losses of this nature.
The type of breach that occurred at CHS could happen to any health care provider. As the Federal Bureau of Investigation’s (FBI) Cyber Division noted in a Private Industry Notification earlier this year, the health care industry generally "is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs)."1 Given the sophisticated nature of the attack on CHS, similar attacks may be occurring at other health systems. The breach at CHS is just one of a number of breaches in the last year involving information held by health care providers. Based on information on the Office for Civil Rights’ (OCR) website, other recent and notable breaches of data held by health care providers include:
A breach reported by St. Joseph Health System in Texas affecting 405,000 individuals. The breach may have included names, Social Security numbers, medical information, etc.
A breach reported by UW Medicine in Washington affecting over 76,000 individuals.
A breach reported by Centura Health in Colorado affecting over 12,000 individuals.
A breach reported by Nrad Medical Associates in New York affecting 97,000 individuals.
A breach reported by the Montana Department of Public Health and Human Services affecting over 1,060,000 individuals.
Incidents reported to OCR in the last 12 months include breaches involving information on desktop computers, network servers, and portable electronic devices, as well as in emails.
Cybersecurity threats facing health care providers
A review of OCR’s website reveals that a wide range of health care providers have had to report breaches involving more than 500 individuals, including health systems, medium-sized medical groups and sole practitioners. Health care providers are especially prone to data theft due to the high value cyber criminals place on medical information, which is often more valuable than credit card data. The street cost for a single patient’s medical record is reportedly $50 and has a longer useful lifespan than a credit card, while a stolen Social Security card is only worth $1.2 According to the Identify Theft Resource Center, 43.4% (204 of 470) of all breaches identified by the Center as of August 12, 2014 fell within the “medical/healthcare” category.3 Access to a patient’s protected health information (PHI) at a health care provider may reveal health insurance information, Social Security numbers, patient medical information and diagnoses, bank account information, etc.
Cybersecurity threats facing health care organizations include: