Hacking Tops List of 2015 Data Breach Causes

An analysis of breach reports during the first 5 months of the year shows that the main cause of 2015 HIPAA breaches is still hacking, which continue to expose patient health records in the millions.

The colossal data breach at Anthem Inc., exposed 78.8 million member records while the HIPAA breach at Premera Health was potentially more serious. While 11 million records were obtained by hackers – considerably less than in the Anthem hacking incident – the data stolen was more substantial, and included medical information, personal identifiers and Social Security numbers; everything thieves need to commit fraud on a huge scale.

Hacking Main Cause of HIPAA Breaches and Exposes Most Records

HIPAA-covered entities are required – under the Breach Notification Rule – to report data breaches involving more than 500 individuals to the Department of Health and Human Services’ Office for Civil Rights. These breach reports must be made within 60 days of the discovery of a data breach.

The two mega data breaches certainly stand out in the breach report lists due to the volume of records compromised. They are the largest two healthcare breaches ever reported, and account for some 90 million records; substantially more records than were exposed in the whole of 2014.

According to a report compiled by HealthItSecurity between January. 1, 2015 and May 6, 2015 the OCR received 92 security breach reports. Just under a third of that total (30) has been attributed to hacking or network server incidents.

Unauthorized Disclosures Major Cause of PHI Exposure

However, in close second is unauthorized access and disclosure with 27 reported incidents for the year to date. Unauthorized disclosures have been caused by staff snooping on health records, incorrect mailings, data placed on insecure networks and carelessness. The loss and theft of devices is also a continuing problem, accounting for 22 incidents and 13 incidents respectively. Improper disposal only accounted for three incidents.

When hackers are able to gain access to healthcare databases, network servers and email accounts, they are able to obtain vast quantities of data. The Community Health Systems data breach of last year was caused by hackers, and they were able to obtain 4.5 million records. A year earlier, Advocate Health suffered a data breach as a result of a targeted attack, and just over 4 million records were stolen.

Hackers Exploiting Basic Security Holes

While the attacks are becoming more sophisticated in nature, in many cases, hackers are able to exploit basic security holes. Often these vulnerabilities result from the failure to perform fundamental security processes, such as changing default passwords, controlling the passwords that staff can use – excluding “password” for example – installing software patches and implementing policies covering the use of personal electronic devices at work.

Sometimes the simplest measures can be the most effective. Implementing these straightforward security measures, in addition to using data encryption for text messages and on all portable devices, will reduce the number of reported breaches considerably, and will make it harder for hackers to steal data.

Until healthcare providers change their attitudes and invest more heavily in IT security and compliance, the data breach trends are unlikely to change any time soon.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.