The year 2021 appeared challenging, given the number and severity of healthcare data breaches. Review some of the most severe incidents and get key takeaways of the past year.
Since the HITECH Act called for publishing healthcare data breach figures on the Office for Civil Rights (OCR) website, the number and severity of healthcare data breaches reported annually has increased. The OCR portal notes 702 healthcare data breaches affecting protected health information (PHI) of 500 or more individuals each in 2021. In total, almost 50 million healthcare records have been exposed or stolen due to these incidents. On average, there were 1,9 data breaches per day in 2021, which is 10% more compared to 2020.
Given the above statistics, 2021 is fairly ranked as one of the worst years in terms of the number and severity of healthcare data breaches. Get the key takeaways of the 2021 healthcare data breaches and review some of the most severe incidents below.
Hacking/IT incidents were by far the most dominant causes of 2021 health data breaches, accountable for more than 73% of all incidents reported. To compare, 66% of breaches in 2020 were caused by hackers. These statistics are not surprising, especially considering the proliferation of advanced hacking groups that use ransomware. Furthermore, healthcare organizations become more susceptible to malicious attacks due to weaknesses in their supply chains.
At the same time, there is a negative trend in using unauthorized access/disclosure as a tool for breaching healthcare data. Specifically, unauthorized access/disclosure is responsible for 20% of all healthcare data breaches, which is 2% less than in the previous year. Incidents caused by loss or theft of unencrypted devices are responsible for as few as 2% of breaches. Thus, previously dominating causes of healthcare data breaches – the loss and theft incidents – were reduced due to the increased use of encryption and cloud services for storing data.
There is a significant increase in the number of business associates affected by PHI breaches compared to previous years. In 2021, 124 business associates were directly affected and reported PHI breaches. To compare, there were 73 data breaches reported by business associates in 2020 and 53 – in 2019. In fact, the number of business associates involved in healthcare data incidents is even higher because breaches experienced by them are often reported by covered entities affected. Thus, as many as 251 violations had business associates’ involvement in 2021. This data supports the increase in supply chain attacks when criminals target small businesses and service providers to access larger organizations like healthcare providers.
May was the worst month for data breaches and HIPAA compliance incidents in 2021. In total, there were 63 breaches in a single month resulting in theft or exposure of nearly 6,5 million patients’ health care records. On average, each one of these breaches resulted in the unauthorized disclosure of over 103,000 records. January 2021 has also shown an anti-record regarding the severity of healthcare data breaches, with almost 140 000 records per case on average. Although the total number of violations is the smallest compared to the other months – only 36 cases, the total amount of healthcare records breached is one of the highest – around 5,6 M.
February appears to be the month with the least number of data breaches. Although there was a slight increase in reported data incidents compared to January – 45 against 36 – the number of healthcare records compromised was 1,2 M, which is 27,443 records per incident average. September is the second month with the least amount of breaches (47) and around 1,25 M records compromised.
The picture of 2021 data breaches would not be complete without analyzing the most extensive cases.
The largest 2021 healthcare data breach was a hacking incident involving the firewall vendor Accellion and affecting PHI of at least 3,51M people. Cybercriminals compromised Accellion’s File Transfer Appliance (FTA) used for transferring large files. Exploiting several vulnerabilities in the FTA, the attackers affected more than 100 companies, including at least 11 U.S. healthcare organizations. The Accellion FTA hack does not appear as a single incident on the OCR because each affected healthcare organization reported the breach separately.
2021 started with the second-largest healthcare data breach of the year – a hacking incident at Florida Healthy Kids Corporation (FHKC) health plan. The analysis of the breach revealed that PHI of 3.5M individuals was exposed. The breach occurred because of the failure of a security vendor to apply patches for multiple vulnerabilities on the FHKC website over seven years. Personal information of millions who applied for coverage or were enrolled in Florida KidCare between 2013 and 2020 was exposed after the health plan’s website was targeted in a cyberattack.
Florida-based 20/20 Eye Care Network experienced a serious data breach of 3,2M individual records. The incident occurred as a result of a misconfigured Amazon Web Services (AWS) S3 cloud storage bucket. In January 2021, the company discovered that an unauthorized individual accessed the storage bucket and downloaded some data, which may have included Social Security numbers, dates of birth, and health insurance information.
Forefront Dermatology experienced a data breach that impacted almost 2,5 M individuals in July 2021. An unauthorized user gained access to Forefront Dermatology’s IT network and accessed files with PHI, including names, birth dates, patient account numbers, addresses, dates of service, provider names, medical treatment information, and medical record numbers.
Thud, the aggregate picture of the 2021 healthcare data breaches proves that attacks on the healthcare industry have no signs of slowing down. The main tendencies in 2021 healthcare data breaches include the increasing number of data incidents and records breached, the increasing number of targeted attacks and more frequent cases of supply chain attacks.
To stay updated on the most recent HIPAA-related topics, keep reading our blog or contact the Planet 9 team. We’ll be happy to assist!