Healthcare keeps taking the data breach hits

Reading time: 4 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

The hits to the healthcare industry keep on coming. While the number of overall data breaches tracked by the Identity Theft Resource Center (ITRC) hit a record in 2016, with 1,093, which is a 40 percent increase over the previous record in 2015 of 780 breaches – It’s healthcare that continues to grow the most.

According to the ITRC report, the healthcare segment has experienced the biggest growth in overall breaches in the past decade. In 2007, the healthcare/medical vertical accounted for about 15 percent of the  overall number of data breaches, and in 2016 that’s risen to 35%. Most every other category, except general business is down during that same period, including education, government/military, and banking/credit/financial.

How did other business sectors compare to healthcare this year? According to the ITRC the general business sector, with 494 breaches reported, topped the list of total breaches and consisted of 45.2 percent of the overall number of breaches. With 377 incidents, the healthcare/medical industry came in second with 34.5 percent of the overall total. The education, government/military and the banking/credit /financial sector all came in below 10 percent.

If the start of 2017 is any indication, it’s a good bet that healthcare will continue its breach record breaking streak. Earlier this year, in my home state of Minnesota, the nonprofit provider of health and wellness support for the community Family Service Rochester (FSR), fell victim to a ransomware attack that affected just over 17,000 people. According to a statement on FSR’s website, at the end of January, the organization learned that “a portion of its files had been encrypted by ransomware. FSR immediately notified law enforcement and initiated an investigation. The investigation identified unauthorized access through a user account from December 26, 2016 to January 25, 2017,” the statement reads.

According to the statement, the data potentially accessed may have included name, address, date of birth, Social Security number, driver’s license number, insurance identification number and medical information. Those who were affected were notified and informed about the specific type of information the attackers may have accessed about the data breach victims.

In another incident, Emory Healthcare announced that its Orthopaedics & Spine Center and Brain Health Center (EHC), based in Georgia, USA announced that a data breach at a third-party database provider. According to their breach disclosure, “This database contained limited information used in updating appointment information including patients’ names, dates of birth, contact information, internal medical record numbers, and basic appointment information such as dates of service, physician names and whether patients required imaging (but not the type of imaging).”

Fortunately, the database did not contain patients’ Social Security numbers, financial information, diagnosis or other electronic medical record information, Emory Healthcare said.

On January 3, 2017, Emory Healthcare learned that there was unauthorized access to the database “after someone deleted the database and demanded that EHC pay to have it restored. We learned that there was another unauthorized access by an independent security research center that searches out vulnerabilities in applications and traditionally notifies the company so that it can be remedied,” their disclosure reads.

I expect many more similar breaches in healthcare this year According to the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal there have been 48 healthcare data breaches disclosed so far this year, and we’re not even a quarter of the way through 2017 yet.