2020 – The Year in Breaches

We hope 2021 is off to a great start, for you and yours. We want to look at 2020 in healthcare information breaches and see what we can learn from them, now that the reporting has been completed . (Pardon the lag, but the Office for Civil Rights does not update its data in real-time).

In calendar year 2020 there were 534 publicly reportable incidents of ePHI. The victims range in size all the way from Walmart (2.2 million employees), down to numerous solo providers. The list also featured 26 dentists, in a bad year for that field – most of which were attacks at business associates supporting dental practices.

Brigham and Women’s, Geisinger, Mayo, Kaiser, and Memorial Sloan Kettering are all on the list, showing that a great clinical reputation doesn’t help secure your data.

For the first time since the Breach Notification Rule was passed, a client of ours is on the list.  We told them to turn on multi-factor authentication for their Office365 email system, but unfortunately, they didn’t do it. A former sales prospect is on the list as well, who after several conversations decided to go with someone else – a great pity.

Breach Type

  • The glamorous, hi-tech, sci-fi-movie plot type “hacking/IT incidents” accounted for 371 incidents.
  • Good old carelessness and/or snooping caused 110, over 20%, of the incidents. The term “Unauthorized access/disclosure” covers this case.  Basic training and careful handling of information never go out of style.
  • “Improper Disposal” caused 13 incidents involving over 570,000 individual records. There’s really no excuse for this. Shred the paper, destroy the disks.
  • The single largest was MedNAX, a Florida-based business associate whose Office365 system was compromised by phishing attack (Another example in favor of multi-factor authentication).

The Big Ones

The two biggest hacks of 2020, by far, are Blackbaud and SolarWinds – which are the root cause of many individual organizations’ reports, so they don’t show up on OCR’s website. These two present difficult challenges for small and mid-size organizations. Both are leaders in their space, both provide excellent tools, and both have more resources to secure their systems than the vast majority of their users. Both are also high-profile, high-value organizations that consequently were the target of sophisticated attacks.  Would we have told someone to quit using Blackbaud? Probably not. Is sensitive information safer with them, than if it were on-premises at 90% of their clients? Probably, even given the breach.

Time to Clean House

A great practice is to delete data you no longer need, even if it is hosted at a leader like Blackbaud. The most secure data is the data that’s not there (because it’s been deleted). Many organizations struggle with data retention, but the struggle is worth it. Nothing is more infuriating than suffering a breach of ePHI that you don’t really need.

The Bottom Line

To summarize the lessons learned from 2020’s data breaches:

  1. Human error and carelessness will never go away, so reminders and training will always be needed.
  2. Turn on multi-factor authentication wherever it’s available.
  3. Throw away you trash safely, especially if it contains ePHI.
  4. Have a data retention and destruction schedule, and stick to it – even on your cloud systems. If you don’t need the data, get rid of it. If you’re not sure, move it to a very secure place such as an encrypted file or off-line copy.

Best wishes for your 2021,