It feels like we’ve been seeing a lot more health care breaches caused by hackers and other IT security incidents, and there’s a good reason why: a recent report by cloud security company Bitglass confirms that both the number of breaches and individuals affected by breaches caused by hackers and IT incidents grew significantly last year. Bitglass analyzed data from the HIPAA breach notification portal, also known as the “Wall of Shame,” published by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Pursuant to the HITECH Act, HHS is required to post a list of all reported breaches that affect 500 or more individuals. OCR classifies the types of breaches reported on the Wall of Shame, and the "Hacking/IT Incident" category includes a variety of breaches, including malicious intrusion, malware, ransomware, phishing, and general IT security failures.
We’ve blogged many times recently about data breaches caused by hackers and other IT security incidents. (For example, see here and here.) Bitglass’s report found that, between 2018 and 2019, there was a 33% increase in the total number of breaches (386 vs. 290) and a 46% increase in the number of breaches caused by hacking or IT incidents (234 vs. 133). According to the report, hacking or IT incidents are currently the largest cause of breaches among health care organizations and accounted for over 60% of the total number of breaches and 86% of affected individuals last year. To add insult to injury, the cost per breach also increased significantly between 2018 and 2019, from $408 to $429 per affected individual. Therefore, more people are being impacted by hacking and IT incidents than other types of breaches, and responding to breaches are becoming costlier than ever before.
Unfortunately, these numbers are not surprising given last year's large-scale breaches caused by hackers at various types of health care organizations, such as electronic medical records company Medical Informatics (affecting about 3.5 million people) and billing firm American Medical Collection Agency (affecting about 20 million people). As we previously discussed in the HIPAA year-in-review post, OCR enforcement has been, and will continue to be, increasingly aggressive. Multi-million-dollar fines are now the norm, which add to the increasing cost of handling large-scale breaches. Echoing Bitglass’s findings, the FBI warned health care organizations in October that ransomware attacks have become more targeted, sophisticated, and costly, with health care organizations remaining a high value target. Health care providers must remain vigilant in training workforce members and implementing adequate security safeguards to minimize the risk of hacking and other types of breaches.