The health records this year exposed to or lost to a cyber incident now amount to nearly 40 million.
Data Breach increase
The U.S. during October The Office for Civil Rights of the Department of Health & Human Services (HHS) has been informed of 52 data infringements that affected hundreds of thousands of health records. Since January 2014, the highest number of incidents has been reported and has impacted 661 830 records.
The count of health records exposed, lost or stolen until the end of October of this year passed the 38 million mark, reports HIPAA Journal. While the figure is remarkable when compared to the last three years (more than 3 times the amount reported in 2018 and more than 7 times the last year), it is far from the highest. The unfailed record was recorded in 2015, when health insurers Anthem and Premera Blue Cross declared infringements of data (1, 2) that affected personal information of 78,8 million and 11 million clients respectively.
Last month, healthcare services suppliers, plans and industry-related businesses in 24 countries reported infringements of information to the HHS Civil Rights Office. Most of the incidents were in Texas, 17 of them. Betty Jean Kerr People’s Health Centers (152,000), and Kalispell Regional Health Care (140,209) were the top two agencies with the highest number of records affected. Nevertheless, in the case of Betty Jean the documents seem to have been lost to a ransomware attack and not an unauthorized entity. The company decided not to pay the ransom for recovery and was unable to restore it from backups. 28 of these incidents were caused by unauthorized access or disclosure, of which 18 were caused by hacking or information technology accidents. This shows that the health sector remains an attractive and easy to attack objective. The HHS Civil Rights Office (OCR) has also provided financial penalties for some of the cyber incident impacted agencies. One of them resolved with an agreement to reveal publicly health information in response to a Yelp review. Following an investigation, OCR also found that in its privacy notice it did not include sufficient information. All parties agreed to a settlement of $10,000. Another ended with more than $2 million civil money penalty for the public disclosure of a photograph of an operating room display showing two people’s health, one of them “a well-known NFL star.”