Breaches of USA Medical Health Information

The U.S. Department of Health and Human Services Office for Civil Rights lists USA medical health information breaches affecting 500 or more individuals that occurred within the last 2 years and that are still under investigation.

The USA medical breach data for the last 2 years is displayed as a sortable list and can be downloaded as a Spread Sheet or CSV file  for further analysis.  At the time of writing there are 354 entries from 500 individuals affected up to 10,000,000 although with the latter being such a nice round number some rounding was probably involved.  The average number of individuals per case approaches 79,000.

The nature of private health care within the USA means that medical records could be accessed by many gateways.  For example a health care provider administering the care and the insurer (health plan) taking responsibilities for the costs.  With a national health service these would be the same body and hopefully share common security protocols.  The data indicates that the majority of breaches are, however, within the  provider rather than the insurer.

  • Healthcare provider: 283
  • Health plan: 51
  • Business associate: 19
  • Unknown: 1

Relying on a private health care system also requires financial as well as medical records to be kept.  These should be kept separate but medical identity theft may offer enough clues to access financial data.  This added incentive plus the wider range of services makes the USA medical information systems an attractive target for hackers.  Data security protection and exploitation will follow the same guidelines the world over so the causes of breaches would be of interest to anyone holding medical information. Looking at the numbers below hacking is the most common cause of breaches but accounts for a little under half the cases:

  • Hacking: 149
  • Unauthorised access: 126
  • Theft: 62
  • Loss: 9
  • Improper disposal: 8

The cases of theft refer to physical theft of a device that contains the data rather than virtual theft of data from a server or workstation.  9 of the cases of theft were from paper or film records and 10 from portable electronic devices.  The remaining thefts are either labelled ‘other’ or linked to theft of a computer or laptop.

Hacking is the hardest data breach to completely prevent.  Whatever methods are in place someone will be working on overcoming them, requiring a constant review of security procedures.  Kindus are in a position to offer confidential, bespoke advice on reducing the risk from hackers.  Instances of unauthorised access, theft or loss of physical data stores will be minimised by setting up good practice together with staff training to ensure that standards are maintained.  Identity theft, disgruntled or poorly informed employees are causes of leaked account details that will allow a criminal access to data by-passing any security measures that are in place as the system assumes that they are a valid user.  Kindus provide security audits and staff training to ensure that details of key accounts are not leaked.

Devices can be physically secured to reduce the risk of theft.  With network and cloud based storage there is less need to keep records on physical devices than in the past.  Where it is still required access to those devices should be restricted with strong encryption that prevents the data itself from being accessed by an unauthorised user or from unauthorised locations.

More from Pharmaceutical & Security

03/09/2024

Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less …

Read post

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

29/07/2024

Bad Bots

Kindus has discussed the role of bots on the Internet and how webmasters can use ‘robots.txt’ to control them.  Unfortunately many bots do not …

Read post

22/07/2024

Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories