Biggest Health Data Breaches in 2014

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/biggest-health-data-breaches-in-2014-a-7705

The five biggest 2014 health data breaches listed on the federal tally so
far demonstrate that security incidents are stemming from a variety of
causes, from hacker attacks to missteps by business associates.

The top breaches offer important lessons that go beyond the usual message
about the importance of encrypting laptops and other computing devices to
prevent breaches involving lost or stolen devices, still the most common
cause of incidents. They also highlight the need to bolster protection of
networks and to carefully monitor the security practices of business
associates.

The Department of Health and Human Services' Office for Civil Rights adds
breaches to its "wall of shame" tally of incidents affecting 500 or more
individuals as it confirms the details. A snapshot of the federal tally on
Dec. 22 shows that 1,186 major breaches impacting a total of nearly 41.3
million individuals have occurred since the HIPAA breach notification rule
went into effect in September 2009.

According to the tally, the top five health data breaches in 2014 affected
a combined total of nearly 7.4 million individuals.

The largest breach in 2014 was the hacking attack on Community Health
System, which affected 4.5 million individuals. In that incident, forensic
experts believe an advanced persistent threat group originating from China
used highly sophisticated malware and technology to attack the hospital
chain's systems.

The Community Health Systems incident is also the second largest health
data breach since the enactment of the HIPAA data breach notification rule
in 2009. The largest breach is a 2011 incident involving TRICARE, the
military health program, and its contractor, Science Applications
International Corp., which affected 4.9 million individuals.

Business Associate Troubles

The second largest HIPAA incident in 2014 implicated a business associate.
That breach, affecting 2 million individuals, involved an ongoing legal
dispute between the Texas Health and Human Services Commission and its
former contractor, Xerox, which had provided administrative services for
the Texas Medicaid program. The breach arose when the state ended its
contract with Xerox. The vendor allegedly failed to turn over to the state
computer equipment, as well as paper records, containing Medicaid and
health information for 2 million individuals.

Another top five health data breach in 2014 involved both a business
associate and a more familiar culprit - stolen unencrypted computing
devices. That Feb. 5 incident involved a vendor that provided patient
billing and collection services to the Los Angeles County departments of
health services and public health. The theft of eight unencrypted desktop
computers from an office of Sutherland Healthcare Services - L.A. County's
vendor - affected more than 342,000 individuals, the federal tally shows.
Initially, that breach was believed to have impacted about 168,000
individuals, but the figure was subsequently revised.

Unsecure Files

The fourth largest 2014 breach on the federal tally involved Touchstone
Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging
services, which became aware in May "that a seldom-used folder containing
patient billing information relating to dates prior to August 2012 had
inadvertently been left accessible via the Internet. The breach affected
more than 307,000 patients.

The fifth largest breach of the year occurred at the Indian Health
Services, an HHS agency. That incident, which affected 214,000 individuals,
involved an unauthorized access or disclosure involving a laptop computer,
according to the tally.

Shifting Trends

The largest health data breaches in 2014 highlight some shifting trends
compared with previous years.

"In our opinion, hacker attacks are likely to increase in frequency over
the next few years," says Dan Berger, CEO of security services firm
Redspin. "Personal health records are high value targets for cybercriminals
as they can be exploited for identity theft, insurance fraud, stolen
prescriptions, and dangerous hoaxes." That trend puts a spotlight in the
need to do comprehensive penetration testing, as well as taking other steps
to bolster security, he says. "If I was a hospital executive ... I'd want
to know the most likely means by which a hacker can break in."

Nonetheless, while incidents involving hackers in the healthcare sector
appear to be on an uptick, insiders still pose the biggest threat to most
entities, says Michael Bruemmer, vice president of Experian Data Breach
Resolutions.

"Of all the incidents we service, regardless of the vertical [market], 80
percent of the root cause is employee negligence," he says. That includes
such mistakes as losing laptops or clicking on a phishing e-mails.
"Employees are still the weakest link," he says in a recent interview with
Information Security Media Group, calling for the ramping up job-specific
privacy and security training.

Meanwhile, incidents such as the Texas Medicaid/Xerox breach also highlight
the need for organizations to bring more scrutiny to their business
associate relationships. Business associates, as well as their
subcontractors, are directly liable for HIPAA compliance under the HIPAA
Omnibus Rule that went into effect in 2013.

The breach tally also illustrates the need for HIPAA covered entities and
business associates alike to strengthen their security risk management
programs.

"The data tells us that a HIPAA security risk analysis, while mandatory, is
necessary but not sufficient. The remediation plan is even more important,"
Berger says.

"Too often healthcare organizations do not allocate enough resources to fix
the problems identified in the risk analysis. We also see a need for more
frequent vulnerability analysis, Web application assessments and social
engineering testing. Stated another way, the healthcare information
security programs need to mature."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!