Health Care Data Breaches Hit a New High in First Half of 2021

While health care data breaches have become an all-too-common occurrence, the problem seems to be getting worse. According to the HHS’ Office for Civil Rights (OCR), there have already been 360 federally reported data breaches involving health information in the first half of 2021, the highest total for the first six months of a year since the government began tracking this data over a decade ago. Protected health information of nearly 23 million patients have been exposed as a result of this breach-fest. By comparison, there were 270 reported breaches involving 8 million patients in all of 2020.

The Breaches Are Getting Bigger

 The OCR tracks breaches across all industries. But, as in past years, healthcare was the number one culprit in the first half of 2021, accounting for 162, or nearly half, of the reported total. Breaches are becoming not only more frequent but also more extensive. And that figure doesn’t count breaches that have occurred but not yet been reported—remember that the HIPAA deadline for reporting a data breach is 60 days from discovery.

There were no fewer than five data breaches compromising data of over 1 million patients each. Florida health plan Healthy Kids Corp. reported the biggest single breach, a hacking attack on its web hosting platform exposing the information of 3.5 million applicants and enrollees. That figure includes several thousand online applicants for the plan’s Florida KidCare coverage whose street addresses that the hackers “inappropriately accessed and tampered with.”

What’s Causing the Breaches

At roughly 70 percent, hacking represents the most common cause of the breaches reported by providers, insurers and their respective business associates. Organizations reporting hacking breaches on their systems included CaptureRx, 20/20 Eye Care Network and American Anesthesiology. In addition to accessing data from organizational systems, several attacks resulted in its actual removal. This may be part of the latest form of ransomware in which hackers remove rather than encrypt patient records and threaten to publish or sell the data if the organization doesn’t pay a ransom.

5 Biggest Reported Health Care Data Breaches of 2021 (So Far), by Patients Affected

Source: OCR, Breach Report

However, even though hacking incidents are on the rise, the data security problem is far more extensive than that. For one thing, the “hacking/IT incidents” category encompasses not only hacking attacks but also breaches resulting from how an organization’s IT system is configured. The remaining 30+ percent of breaches resulted from theft, loss, improper disposal and unauthorized access or disclosure.

A Call for Action

In May, the American Hospital Association (AHA) issued an advisory calling on the federal government to start a “coordinated campaign” to target perpetrators of ransomware attacks in both the U.S. and abroad. In essence, the AHA urged the government to treat ransomware as a kind of terrorist activity and deploy diplomatic, financial, military and intelligence resources to combat it.

On July 14, the federal government launched StopRansomware.gov, a new interagency website that will provide centralized resources, reports and alerts from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) that health care and other organizations can use to prevent and respond effectively to ransomware attacks.