by John R. Fischer
, Senior Reporter | January 03, 2022
Over 660 data breaches at healthcare facilities were reported this year to the federal government
Healthcare providers, insurers, and their business associates combined, saw just one more data breach this year compared to 2020, says a new report from the Human Service Department’s Office for Civil Rights.
The federal government was tipped off about 664 data breaches, which was the largest number of healthcare data breaches in a year since 2010. The total for this year surpassed last year by one single incident.
Data for nearly 43 million patients was compromised in 2021, but this is still less than half the number affected in 2015, when bad actors hacked the data of 112.5 million people, according to Modern Healthcare
A report, however, published in July by Fortified Health said that the number of patients affected by such incidents increased by 185%
from the year before, and that the number of reported breaches to the HHS increased 27% year-over-year during the first six months of 2021. Of all healthcare entities, providers experienced the most breaches at 73%, it said.
“Email phishing threats have been at or near the top of the list for quite some time, and there isn't any indication of the trend reversing itself in the near future. Healthcare organizations often overlook third party risk because managing business associates' risk profiles and driving the information security maturity of these entities is a resource-intensive endeavor," Fortified Health Security COO William Crank told HCB News.
The largest breach, according to this most recent report, involved data on an estimated 3.5 million people who applied or enrolled for coverage from Florida Healthy Kids, the state’s Children’s Health Insurance Program contractor, as far back as 2013. The hack was discovered last December and reported to HHS in January.
Under the Health Insurance Portability and Accountability Act, healthcare players must disclose breaches within 60 days of discovering them. This means that some incidents in the HHS database may have occurred last year or even earlier and that data for November and December this year may be limited.
Certain states also have their own timelines for reporting data breaches. In Texas, providers must report attacks to the state attorney general within 60 days as well. One practice, Gastroenterology Consultants, reported a January hacking to HHS in the specified time frame but waited seven months
to do so with the state attorney general and the public.