4 of the most common ways private health information was breached in 2022
This story originally appeared on Drata and was produced and distributed in partnership with Stacker Studio.
4 of the most common ways private health information was breached in 2022
When cybercriminals want a lucrative target, many go after health care data. Health care is the most targeted sector for cyber criminals seeking to steal and sell Americans' private information. Attacks in this sector have doubled since 2016 and are beginning to have increasingly severe consequences for privacy and patient outcomes.
According to the Center for Internet Security, criminals are motivated to steal health-related data because people can't change their medical history. Criminals use the information to create scams targeting individuals or make fraudulent insurance claims.
Drata used reports on health data breaches from the Health and Human Services Department's Office for Civil Rights to find the four most common culprits in 2022. The analysis includes breaches of unsecured protected health information affecting 500 or more people and is limited to those that were submitted to the Secretary of Health and Human Services within the calendar year 2022. Breaches come from various locations, including emails, servers, portable electronics, paper, and film.
Few breaches came from improper disposal of medical files—just four breaches in 2022 fell into this category.
There were more than 700 health data breaches in the United States in 2022, affecting more than 52 million people. Of those, only 1 in 5 has been resolved, by addressing the causes of the breach or assisting its victims with protecting themselves, or both. Most breaches remain under investigation.
1. Hacking/IT incident
- Number of breaches: 564 (19% resolved, 81% under investigation)
- Individuals affected: 44.2 million
- Most common locations of breached information: Network server; email
Electronic record-keeping is relatively new in the health care industry. In 2008, just 9% of hospitals and 17% of office-based physicians used a certified electronic health records system. But by 2021, 96% of hospitals and 78% of office-based physicians used them, according to the Office of the National Coordinator for Health Information Technology. Because the industry has less experience protecting electronic data, its companies also have less experience with cybersecurity, which means criminals have had an easier time hacking into servers and emails to steal information.
One such attack occurred in April 2022, when OneTouchPoint, a Wisconsin-based mailing and printing services provider for health care organizations, discovered a ransomware attack that left encrypted files on its servers. The compromised systems contained personal health information such as names, addresses, birth dates, family histories, medications, and specific health services belonging to than 2.6 million people seen by at least 34 organizations, including Humana, Kaiser Permanente, and several Blue Cross Blue Shield affiliates.
2. Unauthorized access/disclosure
- Number of breaches: 115 (23% resolved, 77% under investigation)
- Individuals affected: 7.7 million
- Most common locations of breached information: Paper/films; network server
Breaches don't always happen when a bad actor from outside a company infiltrates a server. Employees can also conduct data breaches if they access information stored in electronic health records when it's not part of their job to do so. Health care companies can also inadvertently disclose patient information to other entities.
That's what happened with Advocate Aurora Health, a Chicago-area company that operates 27 hospitals. In October 2022, the company disclosed a data breach that occurred through its use of tracking pixels provided by Google and Meta, Facebook's parent company. The pixels were supposed to help Advocate Aurora Health understand users' interaction with its websites, but they also sent health information—which by law should have been protected—belonging to 3 million patients to Facebook and Google.
3. Theft
- Number of breaches: 22 (14% resolved, 86% under investigation)
- Individuals affected: 462,035
- Most common locations of breached information: Portable electronic devices; paper/films
Doctors and other health care providers must keep medical records on file in case they have to defend against a medical malpractice lawsuit. Each state sets the length of time that's required, which is generally five to 10 years, but there are some extremes, such as the 30 years required for hospitals in Massachusetts.
The slow adoption of electronic health records means a lot of paper files and microfilms are sitting in storage and can be vulnerable to theft. That was the case for SAC Health System, which in March 2022 discovered that someone had broken into one of its off-site storage facilities. The loss included six boxes of paper documents that may have included patients' personally identifiable information and codes for their health diagnoses. Nearly 150,000 people were affected by this breach.
4. Loss
- Number of breaches: 12 (42% resolved, 58% under investigation)
- Individuals affected: 20,306
- Most common locations of breached information: Portable electronic devices
Human error can also account for a portion of data breaches when information is lost. Sometimes this occurs when patient health information is put on a USB storage device or another external data storage device that goes missing. Other times, documents that are shipped never make it to their destination.
In one case, Virginia-based health care provider The Art and Science of Dermatology discovered that a computer was missing from its offices and could have been breached by an unauthorized user. In this instance, 4,500 patients' health information was vulnerable to theft.