More Patient Data Has Been Compromised Through the First 7 Months of 2019 Than All of 2018

by Parampreet Singh

Each year, businesses in the health care sector invest more and more money into cybersecurity and data protection as the number of cyber-attacks and compromised patient records increases.  However, despite these efforts, successful cyber-attacks are significantly outpacing the health care sector’s efforts to protect patient data.

For example, in 2018, 15 million patient records were compromised as a result of slightly more than 500 breaches in the health care sector.  Through the first seven months of 2019, the three largest cyber-attacks alone affected more than 29.5 million patients.  The majority, and the most dangerous, of the attacks were carried out by hackers infiltrating third-party vendors or implementing successful phishing attacks. 

Of the biggest breaches thus far this year, the American Medical Collection Agency (“AMCA”) breach resulted in the largest compromise of patient data, affecting approximately 25 million patients.  Securities and Exchange Commission filings revealed that AMCA was hacked for eight months, between August 2018 and March 2019.   The compromised records included personal and financial data, such as Social Security numbers, credit card numbers, bank details, patient contact information, and sensitive medical information.  Since the breach, AMCA’s parent company, Retrieval-Masters Creditors Bureau, has filed for Chapter 11 bankruptcy protection.  It is unclear how the data breach remained undetected for such an extended period of time.  According to the company’s filing, it had slashed its staffing numbers from 113 to 25 at the end of 2018.

Another of the largest data breaches so far this year involved Inmediata Health Group, affecting 1.57 million patients.  Inmediata Health Group provides clearinghouse services and software and business processes outsourcing tools for health plans, hospitals, independent physician associations, as well as independent physicians. Officials discovered the data breach in January 2019.  Electronic health information was exposed due to a search engine function that allowed internal webpages used for business operations to be indexed.  Compromised data included patient names, contact information, medical claims data, and Social Security numbers.  Furthermore, patients affected by the data breach received multiple breach notification letters, some addressed to other patients.

Data breaches in the health care industry occur frequently and continue to grow in terms of affected patients.  Health care providers and affiliated organizations remain attractive targets for hackers due to the amount of personal information they possess.  According to the 2019 Cost of a Data Breach Report, a joint report issued by IBM Security and the Ponemon Institute (the “Report”), data breaches in the health care industry are the most costly.  According to the Report, the average cost of a data breach is $3.9 million.  The average cost of a data breach in the health care industry is $6.45 million – a difference of over $2.5 million.  Similarly, the average cost per record lost is $150, whereas the cost per record lost in the health care industry is $429.  Furthermore, according to the Report, formation of an incident response team and the extensive use of encryption reduce the cost of a data breach by an average of $360,000 each. 

Although the frequency and magnitude of data breaches have grown year by year, there are many actions that entities participating in the health care industry can implement.  These include, but are not limited to: (1) investment in, and expansion of, the information technology department, (2) implementation of updated security policies and periodic training for employees, and (3) the formation of a well-rounded incident response team.