Breaches of US health data hit record high in 2021, driven by hacking surge, analysis of federal database shows

Amid the ever-lengthening list of US health data breaches, 2022 began the same way 2021 ended: Federal regulators learned Jan. 2 that a Florida healthcare provider, Broward Health, had been hacked in a cyberattack that exposed the Social Security numbers and diagnosis records of 1.3 million people.

The United States in 2021 had a record year for data breaches involving electronic health data, just as the US previously notched record years for health data breaches in 2020 and 2019, an analysis by MLex of federal data shows. There is little reason to think 2022 will be different.

Between 2021’s first reported breach, a cyberattack against Desert Oasis Healthcare in California on Jan. 4, and the hack of an Arizona healthcare provider on the day before New Year’s Eve, the US averaged about two breaches a day in the just-completed year — an unprecedented 720 breaches that exposed the health records of nearly 46 million people, according to MLex’s analysis of a federal database of large breaches reported to the US Department of Health and Human Services. HHS is the federal regulator charged with policing data security for electronic health data stored by insurers, healthcare providers and their business associates.

Cyberattacks were overwhelmingly the cause of the nation’s breaches of health data, a dramatic turn from the situation a decade or even five years ago, and the key reason why the median size of a US health data breach doubled in size from about 2,000 people in 2017 to 4,000 in 2021.

The record number of large breaches — classified as involving 500 people or more by the HHS Office for Civil Rights — due specifically to hacking nearly quadrupled over the past five years, growing from 114 in 2016 to 429 in 2021. The growth in health data hacking attacks has been visible for years but has become significantly more notable since 2018.

Nearly three quarters of 2021’s breaches, and nearly 95 percent of the individual records breached, were the result of a hacking incident. The 39 largest health data breaches in 2021, starting with the breach of the records of 3.5 million children stored by the Florida Healthy Kids Corporation — the largest US medical data breach in 2021 — were all the result of a hacking incident, MLex found in crunching the HHS numbers.

The regulatory impact of the data breach surge is murkier than those clear breach trends. Because even a hospital or health insurer with an excellent, well-funded cybersecurity program can be breached, and a breached entity with good security that discloses the breach and reacts aggressively to remediate the breach is unlikely to be sanctioned by state or federal regulators, the breach totals don’t necessarily mean the HHS Office of Civil Rights will be handing out a corresponding surge in fines.

The rise of ransomware as a cyberthreat also means personal data may be less the target of an attack than the enabler of it, as victims pay a ransom to regain access to their data. The growth in the size and number of breaches will mean more regulatory investigations, however, and potentially more class action litigation, such as the suit that led to the $115 million class-action settlement Anthem paid in 2017.

Broward Health was sued Wednesday in US district court in Fort Lauderdale, Florida, accused of negligence by plaintiff Abigail Walecki for allowing the hacker to exfiltrate bank account information, insurance information, driver’s license numbers and email addresses, as well as medical information and Social Security numbers.

Walecki, a Virginia woman, “already experienced attempted health insurance fraud as a direct and proximate result of the Data Breach and Defendant’s failure to adequately secure and maintain the Sensitive Information on its network,” the proposed class-action complaint said.

Hacking crisis?

Just five years ago in 2016, just over a third of large data breaches reported to OCR — 34.6 percent — were the result of a hacking incident. In 2021, hacks made up 73 percent of reported large breaches.

With hacking attacks taking off in the years since 2018, as international cybercriminals and even nation-states increasingly see the financial or political opportunity in hacking US health records, Pam Dixon, executive director of the World Privacy Forum, sees the US facing a crisis in the data security of electronic health records.

“Hacking has become more accurate; it has become more precise. Hacking is a professional-level job now. The kind of hacking we’re talking about is very, very sophisticated,” Dixon told MLex. “A lot of times, these are hacks where somebody is getting into the system, they pop a rootkit in, and they are sitting there watching over a long period of time.”

A rootkit is a package of malevolent software that allows a hacker to secretly gain access to protected areas of a network, allowing a hacker to lurk there for weeks or even months to observe how the system operates. That was exactly what happened in the Anthem breach in 2014, in which Chinese hackers associated with military intelligence groups lurked within Anthem’s servers for nearly a year, before pulling out the records of nearly 80 million people insured by the company.

Two Chinese nationals were indicted by the US Department of Justice in 2019 for an attack that experts said was state-sponsored.

“The real motivation for a state actor doing a hack, particularly with politicians, is they may have health records where they may be hiding something,” Dixon said. “Maybe it’s a genetically linked disease; maybe it’s a problem with alcohol or drugs.”

But even a hacker whose only motivation is money may prize health data because of its accuracy: people are more likely to provide very accurate information to their doctor or insurer which makes it easier to profile them. One particularly evil scam, Dixon said, is false medical billing, in which a sophisticated cybercriminal may falsify medical records to add expensive conditions such as positive HIV status or alcoholism, and then start billing insurers for that fictional chronic malady.

Intimate health records also can be powerful bait for a phishing scam, tricking people into clicking on a malicious link in an email that they think must be genuine because of the private information it contains, said Bob Gellman, a privacy and information policy consultant in Washington, DC, who has researched health breaches with Dixon.

“If you have really granular health data and a list of very interesting people to whom that data belongs, you can sell it for quite a bit of money, and that’s what’s driving this,” Dixon said.

Trends

For much of the last decade, there was a modest annual increase in the totals of large breaches reported to OCR as required by the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA.

The 720 large breaches in 2021 affected the health records of about one in seven Americans, reflecting a 94 percent jump over just three years. As recently as 2018, OCR logged only 371 large breaches — a 38 percent jump over the previous three years. Starting in 2019, however, there was a notable acceleration in both the median size and total count of large breaches.

What changed in 2018 isn’t fully understood. One possibility is that the same growing capabilities of artificial intelligence systems available for legal uses are also being harnessed by hackers. The hacking community is increasingly sophisticated and well-funded because of the lucrative successes of their illegal activity.

With HHS preparing this spring to begin a data security rulemaking process in the wake of President Joe Biden’s cybersecurity executive order in May 2021, OCR will be seeking public comment on how it should evaluate the data security practices of covered entities in making HIPAA enforcement decisions.

“The Biden-Harris Administration recognizes that the United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy,” said Rachel Seeger, a spokeswoman for the HHS Office for Civil Rights.

Even with the surge of data breaches and hacking, there will not necessarily be a corresponding jump in HIPAA enforcement actions, said Kirk Nahra, a lawyer with the firm Wilmer Hale who has been representing organizations in HIPAA cases for more than two decades. “The fact you have a breach doesn’t mean in any way that you’ve violated a HIPAA rule,” he said.

Nahra said the numbers on what’s colloquially dubbed the “Wall of Shame” of breached companies in the HHS database don’t necessarily directly correspond to the level of threat to individual records. That’s because ransomware attacks don’t necessarily correspond to people’s data being exposed to a hacker, since the goal is to extract money by shutting down the computer network, not stealing and selling data.

But health systems do pose an attractive target for a ransomware attack because the life-or-death need to have their systems operating could mean they are more likely to pay a ransom to keep those systems running.

“Ransomware is a big part of this. That’s clearly driving a lot of this. The reason to do a ransomware attack is not that [an individual’s] medical record has any value of its own, but if I put ransomware on a hospital computer, they can’t run their business,” Nahra said. “Compare the urgency of paying a ransomware attack on a hospital to a ransomware attack on The Gap.”