Over 660 data breaches at healthcare facilities were reported this year to the federal government

HHS reports slight increase in data breaches for healthcare in 2021

January 03, 2022
by John R. Fischer, Senior Reporter
Healthcare providers, insurers, and their business associates combined, saw just one more data breach this year compared to 2020, says a new report from the Human Service Department’s Office for Civil Rights.

The federal government was tipped off about 664 data breaches, which was the largest number of healthcare data breaches in a year since 2010. The total for this year surpassed last year by one single incident.

Data for nearly 43 million patients was compromised in 2021, but this is still less than half the number affected in 2015, when bad actors hacked the data of 112.5 million people, according to Modern Healthcare.

A report, however, published in July by Fortified Health said that the number of patients affected by such incidents increased by 185% from the year before, and that the number of reported breaches to the HHS increased 27% year-over-year during the first six months of 2021. Of all healthcare entities, providers experienced the most breaches at 73%, it said.

“Email phishing threats have been at or near the top of the list for quite some time, and there isn't any indication of the trend reversing itself in the near future. Healthcare organizations often overlook third party risk because managing business associates' risk profiles and driving the information security maturity of these entities is a resource-intensive endeavor," Fortified Health Security COO William Crank told HCB News.

The largest breach, according to this most recent report, involved data on an estimated 3.5 million people who applied or enrolled for coverage from Florida Healthy Kids, the state’s Children’s Health Insurance Program contractor, as far back as 2013. The hack was discovered last December and reported to HHS in January.

Under the Health Insurance Portability and Accountability Act, healthcare players must disclose breaches within 60 days of discovering them. This means that some incidents in the HHS database may have occurred last year or even earlier and that data for November and December this year may be limited.

Certain states also have their own timelines for reporting data breaches. In Texas, providers must report attacks to the state attorney general within 60 days as well. One practice, Gastroenterology Consultants, reported a January hacking to HHS in the specified time frame but waited seven months to do so with the state attorney general and the public.

Its failure to disclose the incident was met with backlash, along with the fact that it paid the hackers the ransom they requested and trusted them to delete the data once they received the money. “It’s just ridiculous,” said patient Amber Wietlispach. “You can pay them off, but how do you know? How do you know that they really got rid of your information?”

UC San Diego Health also faced criticism as well as a lawsuit over its handling of a data breach that occurred last winter. The incident was a phishing scam that took place between December and April and led to unauthorized access to certain email accounts.

As a result, cancer patient Denise Menezes, of El Cajon, accused it of negligence, breaching contract and going against state consumer and privacy and medical confidentiality laws in the suit. She also criticized it for taking too long to notify patients, and for lacking procedures necessary to identify the intrusion quickly and claims that the breach violates HIPAA privacy and security rules.

In a recent presentation at RSNA 2021, Erik Decker, chief information security officer for Intermountain Healthcare, recommended that healthcare practices work more closely with IT vendors, consult the Health Industry Cybersecurity Practices (HICP) playbook, conduct mock phishing attacks to learn, and take advantage of multifactor authentication and antivirus protection technologies.

“Cybersafety is a patient safety problem. You look at this insurmountable challenge and think, "how am I supposed to defend against this?” he stated.