Healthcare firms know well enough to be careful about phishing and ransomware attacks but data collected over the last six months by the HHS HIPAA Breach Reporting Tool revealed that two of the four biggest health care breaches were self-inflicted injuries. “Misconfigured IT” was cited as the reason behind the data breaches at UW Medicine and at Zoll Services, a provider of emergency medical devices.
In all, hacking incidents and misconfigured IT accounted for 51 of the 81 major health data breaches tracked by the government this year. These 51 hacking and misconfigured IT incidents affected 2.8 million individuals or 90% of all people affected by these major health data breaches.
Marianne McGee tells us more about health data breaches in this report from BankInfo Security:
The largest health data breach added to the tally so far this year, which was listed as a hacking/IT incident, involved a misconfigured database reported in February by UW Medicine. That incident potentially exposed on the protected health information of 974,000 individuals for several weeks late last year.
UW Medicine said in a statement that last December, it became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet. The Seattle, Washington-based academic medical system says the misconfigured database at UW Medicine was the result of a coding error when data was being moved onto a new server.
A server mishap was also the culprit in a breach reported to HHS in March by Zoll Services, a provider of emergency medical devices. That incident, which impacted 277,000 individuals, involved a third-party vendor migrating a server containing Zoll’s archived email.
The other breaches among the five largest added to the HHS site so far this year were hacking incidents stemming from ransomware and phishing attacks. In February, Columbia Surgical Specialists of Spokane, Washington, reported a hacking incident involving ransomware that impacted the PHI of 400,000 individuals.
A phishing incident at UConn Health reported in February affected 326,000 individuals. Another phishing incident was reported in January by a payroll HR/administration vendor – Centerstone Insurance and Financial Services, which does business as BenefitMall. That breach affected about 112,000 individuals.
