Awareness & Training
,
Business Email Compromise (BEC)
,
Data Breach

Analyzing the Latest ‘Wall of Shame’ Trends

Health Data Breach Victim Tally for 2018 Soars  - health data breach victim tally for 2018 soars showcase image 1 a 11407 - Health Data Breach Victim Tally for 2018 Soars

About 30 new health data breaches – including a phishing attack impacting 1.4 million individuals – have been added in recent weeks to the official federal tally, pushing the total victim count for 2018 so far to 4.3 million.

See Also: How to Keep Your Endpoints Safe from Cybercrime

As of Tuesday, 229 breaches affecting 6.1 million individuals had been added in 2018 to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website, commonly called the “wall of shame.” The website lists health data breaches affecting 500 or more individuals since 2009.

The 30 incidents added to the tally since Information Security Media Group’s last snapshot in July affected a total of 2.2 million. Most of those had their data exposed as result of a phishing attack against Health System/UnityPoint Health, which was reported to HHS on July 30. That incident, which involved a business email compromise scheme, is, by far, the largest health data breach posted to the wall of shame so far in 2018.

Business Email Compromise

“People are often taken off guard” by business email compromise schemes, when scam emails appear to be sent from a user’s boss or another colleague, says Teresa Grogan, CIO at Vertitech IT, a national healthcare IT consulting and engineering firm based in Holyoke, Mass.

“There needs to be a bigger shift in the training of folks and also deploying better advanced threat analytics technology from an email perspective,” she suggests.

Phishing attacks on healthcare entities involving business email compromise scams “may be more common than anyone might guess,” says Susan Lucci, senior privacy and security consultant at tw-Security. “This is why it is essential that if these types of emails are getting through, they need to be reported to IT or the help desk.”

Organizations that have heightened awareness surrounding phishing attacks are better positioned to avoid becoming a victim, Lucci adds.

Five Largest Health Data Breaches So Far in 2018







Breached Entity Individuals Affected
UnityPoint Health 1,400,000
California Dept. of Developmental Services 582,000
MSK Group 566,000
LifeBridge Health 538,000
SSM Health St. Mary’s Hospital 301,000
Source: U.S. Department of Health and Human Services

Breach Breakdown

Of the breaches added to the federal tally in 2018 so far, 91 are listed as hacking/IT incidents impacting a total of 4.3 million individuals – or about 70 percent of all victims so far this year. Another 91 incidents are listed as “unauthorized access/disclosure” breaches, impacting nearly 803,000 individuals.

Sometimes breaches posted on the wall of shame are publicly disclosed as having involved a cyberattack but are reported to regulators as “unauthorized access/disclosure.” But this category of breach can involve many different types of circumstances.

For instance, the federal tally shows that the largest unauthorized access/disclosure breach reported to HHS so far in 2018 affected MedEvolve, an Arkansas-based vendor of practice management software. In that incident, a file containing patient data of one of MedEvolve’s former healthcare customers was inadvertently left on a file transfer protocol server that was exposed to the internet. That incident, reported in July, impacted more than 205,400 individuals.

Among other factors that can lead to unauthorized access, Lucci says, are curious staff members “along with those who just genuinely are concerned about a particular incident and want to find out what happened” to patients.

“This curiosity indicates that refresher or annual privacy education may not be achieving its goal,” she notes. “Remind the workforce about privacy and that curiosity is often just another word for snooping. And most organizations have a zero-tolerance for this type of activity that essentially is a reportable breach and that the sanction policy will be enforced.”

Organizations also should conduct frequent audits of records access, Lucci recommends. “Auditing access is required, but it is important to do it routinely and randomly, and the results of the audits should be shared at least at the management level to help reinforce privacy policy in every department,” she says.

Thefts and Losses

Some 41 breaches so far this year were reported as having thefts/loss as the cause; those affected a total of 677,000 individuals. Some 13 of those incidents impacting 597,000 individuals stemmed from the loss or theft of paper/film records. The remainder involved unencrypted computing devices; those affected a total of about 80,000 individuals.

With awareness growing of the importance of encrypting mobile devices, health data breach reports involving stolen or lost unencrypted devices are becoming far less frequent than a few years back.

Also added to the federal tally in 2018 were six “improper disposal” incidents impacting more than 330,000 individuals, nearly all were reported as involving paper/film records.

Since 2009, a total of 2,411 incidents impacting 187.7 million individuals have been posted to the wall of shame. Of those, 520 breaches involved hacking/IT incidents, impacting 141 million individuals, or about 75 percent of all victims affected by major health data breaches.





Source link
Based Blockchain Network

LEAVE A REPLY

Please enter your comment!
Please enter your name here