HIPAA Journal has revealed that by October this year, over 400 healthcare data breaches took place in the United States, resulting in the exposure, theft, or loss of over 38 million healthcare records, more than the number of records compromised in the previous three years combined.
In the month of October alone, a total of 52 healthcare data breaches took place, resulting in the breach, exposure, or theft of 661,830 healthcare records and affecting 363,432 individuals. Hacking and incidents of unauthorised access or disclosure were the main reasons behind these breaches, accounting for 18 and 28 incidents respectively.
What's most concerning that the number of healthcare records exposed, breached, or stolen in 2019 so far exceeds the number of records exposed, breached, or stolen in the previous three years combined.
While healthcare data breaches compromised 16.6 million records in 2016, 5.1 million in 2017, and 12 million records in 2018, data breaches that occurred between January and October this year resulted in the exposure, breach, or loss of over 38 million healthcare records, affecting millions of patients in the United States.
A number of high-profile cyber security incidents took place in October alone that resulted in the breach of hundreds of thousands of patients' medical records. While a ransomware attack on Betty Jean Kerr People’s Health Centers led to the loss of 152,000 records, a phishing attack targeting Kalispell Regional Healthcare led to hackers accessing records of up to 140,209 patients without authorisation.
The total number of reported healthcare data breaches in October also rose by 44.44% month-over-month, compared to 36 such incidents in September, 49 in August, 50 in July, and 30 in June.
A majority of the network server breaches were due to ransomware attacks
HIPAA Journal reported that while 18 hacking incidents resulted in the compromise of 501,847 healthcare records, there were 28 reported unauthorised access/disclosure incidents involving a total of 134,775 records, and there were five incidents of theft or loss involving 13,454 records.
"The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.
"Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred," HIPAA Journal noted.
"Given the increased cyber-attacks against healthcare organisations, it is simply no longer sufficient to merely be compliant with security frameworks. When retaining this kind of data, it is critical to choose an encryption solution that not only protects the database instances, but also provides protection for data in transit and at rest," says Dean Ferrando, systems engineer manager for EMEA at Tripwire.
Ilia Kolochenko, founder and CEO of ImmuniWeb, says that the reported number is composed of identified and reported breaches, but that is just the tip of the iceberg. Most of the breaches are, however, never detected due to their sophistication or inadequate level of cybersecurity and breach detection.
"With the rapid proliferation of outsourcing and sensitive data handling by numerous third-parties, breaches stemming from external providers is unclear but probably of immense size. Continuous security monitoring and anomaly detection, asset inventory and attack surface management enhanced with well-thought-out and properly enforced third-party risk management is crucial for an effective cybersecurity strategy," he adds.