This Canary Mail HIPAA Breach report entails information about the breaches that have occurred in March 2022.
In March 2022, the Office for Civil Rights (OCR) of the United States Department of Health and Human Services received 45 reports of healthcare security breaches involving 500 or more records, around 6-7 percent higher than February and considerably below the yearly average of 58 data breaches monthly.
Biggest Medical Data Thefts in March ’22
OCR received around 20-30 reports of security breaches affecting ten thousand or more people, almost all of which were hacking instances. A staff email account had been breached by malicious hackers and was utilized in a business email compromise (BEC) attack to try to redirect money to a 3rd vendor, according to Christie Business Holdings Company, that runs Christie Clinic in Illinois. BEC cyberattacks may constitute for a small proportion of healthcare security breaches, but they are the major cause of cyberattack losses, as per FBI statistics.
In February, CSI Laboratories reported a breach. Although the specifics of the hack was not revealed, the Conti ransomware group bore responsibility and uploaded a snippet of the leaked information on its security breach site in an attempt to get the laboratory to pay the money. In extortion attacks, double extortion strategies are becoming the trend, with money required for both the keys to decode files and to avert the release of hacked information.
Charleston Area Medical Center in West Virginia reported another phishing attack wherein around 50,000 email accounts were targeted. Another Healthcare Provider, Central Minnesota Mental Health Center reported a breach where 28,500 email accounts were compromised. In New Jersey, Dialyze Direct, LLC reported a hacking incident where 14,000 email accounts were targeted by unauthorized users. Colorado Physician Partners, PLLC reported another incident where 12,900 email accounts were hacked by malicious users.
Reasons for March ’22 Medical Data Thefts
Cyber events dominated the medical data theft reported in March, accounting for 91 percent of all reported data breaches and 98.3 percent of leaked medical data. The cyber events affected a total of 3,00,000 people. The median breach size was 18,000 records, with an average breach size of 78,000 records.
While “cyber events” encompasses a wide range of scenarios, 31 of the occurrences included hackers getting access to network servers containing patient data. Cyber attackers gained access to employee email accounts on ten occasions.
While cybersecurity incidents encompass a wide range of occurrences, 40 of the cases involved intruders getting access to network systems containing patient information. Intruders breached email accounts in ten of the cases.
Unauthorized access instances involving a total of 4,440 documents were reported in just 3 cases. The median breach size was 1,680 records, and the mean breach size was 1,480. A hard disc holding the records of 46,670 people was breached, which was the only theft reported.
HIPAA Enforcement Activity – March 2022
The Department of Health and Human Services stated in late March that 4 investigations into HIPAA-regulated organizations had resulted in financial penalties for non-compliance.