20 Million US Health Records Breached, Mostly Due to Hacking: Why India should worry about it

20.2 million health records were breached in the first half of 2022 in the US, an analysis by HIPAA Journal reveals. The number of breaches has reduced from 27.6 million in H1-2021, and 22.2 million in H2-2021. Despite this reduction, the number of breaches continues to remain very high. A simple calculation would reveal that over 70 million health records have been breached in the last 18 months.

More about HIPAA journal: HIPAA Journal is a website covering issues related to HIPAA compliance. HIPAA or Health Insurance Portability and Accountability Act of 1996 is a federal US law which aims to protect “sensitive patient health information from being disclosed without patients’ consent”, among other things.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Why it matters: Initiatives like Ayushman Bharat Digital Mission (ABDM), which aims to digitise health records, also puts the data of Indians at risk of being hacked or leaked, especially in the absence of a strong data protection law. Hospitals and medical websites face a similar risk since they collect and store a lot of health data about patients. This analysis indicates the risks that come digitisation of health records.

Advertisement. Scroll to continue reading.

Major points to note from HIPAA Journal’s analysis of healthcare data breaches in H1, 2022:

1. 6% decline in the number of healthcare data breaches with 500 or more records in the past 18 months: The number stood at 347 in H1-2022, it was the same in H2-2021; in H12021, the number was 368.
   
2. Four data breaches in H1-2022 had 1 million+ records: The biggest data breach affects 2 million individuals, while the second biggest data breach affects 1.3 million individuals. Moreover, 37 data breaches had more than 100,000 healthcare records. The most popular range for healthcare data breaches was 10k to 100k records.
3. Hacking/IT incidents accounted for about 80% of the health data breach incidents in H1-2022: Moreover, out of the 20.2 million people affected by data breaches, 19.6 million were affected by hacking incidents. “The average hacking/IT incident breach size was 70,954 records in 1H, 2022 and the median breach size was 10,324 records” the HIPAA Journal website states.
4. Most of the breached Protected Health Information was stored in Network servers: This is “unsurprising given the high number of hacking incidents and ransomware attacks”, the website states. Moreover, a lot of health data is compromised through emails because of “phishing attacks and brute force attacks to guess weak passwords. HIPAA-regulated entities can reduce the risk of email data breaches by implementing multifactor authentication and having robust password policies and enforcing those policies,” according to HIPAA Journal. The chart below shows the location where healthcare data was stored in H1-2022.
   
   The chart below shows the location where healthcare data was stored in H1-2022. 
   
5. Rising breaches at Business Associate level: Although most of the breaches in H1-2022 occurred at the Healthcare Provider (includes  hospitals, clinics, nursing homes etc) level, the number of breaches at Business Associate (includes software providers, cloud service platforms, billing companies) level have increased significantly. 183 breaches through Healthcare Providers occurred in H1-2022, down from 213 in H2-2021. At the Business Associate level, the number of breaches increased by 31%, from 97 to 128, during the same period.
   
6. “U.S. states with the highest populations tend to be the worst affected by data breaches”, HIPAA Journal website says: The highest number of breaches occurred in New York (29), followed by California (23), New Jersey and Texas (18), Florida and Ohio (17) and Michigan & Pennsylvania (15).
7. Penalties: The Office for Civil Rights (OCR) “started taking a harder line on HIPAA-regulated entities that were discovered to have violated the HIPAA Rules and increased the number of financial penalties imposed”, the website states. However, it adds that “2022 has started slowly in terms of HIPAA enforcement actions, with just 4 financial penalties imposed by OCR in 1H, 2022”. 

Why India should be worried:

1. Cyberthreats have no boundaries: Almost 80% of the data breached was through hacking/IT incidents. Hackers know no boundaries and if they can extract data from a system in the US, then what’s stopping them from attacking with ransomware in India?
2. Lack of a strong data protection law: The Central government withdrew the Data Protection Bill on August 3, 2022. A relevant bill is expected to be tabled in the monsoon session this year but as of now, without any concrete law protecting the privacy of individuals, there’s a lot of scope for misuse of health data.
3. Lack of awareness: It’s hard to imagine people in India being aware of the privacy policy of a company or how their health data will be used once shared with a hospital or a medical websites. Moreover, most organisations write their privacy policy in English, which is not the preferred language for most Indians.

In August 2019, healthcare records of 6.8 million individuals were hacked in India. A Surfshark report states that India was the country with the third highest data breaches in the world in 2021, after the US and Iran. 86 million data breaches occurred in India whereas the number was 212 million in the US. Policymakers can take a cue from the US’s system of making the information about healthcare data breaches publicly available to put accountability on stakeholders. Moreover, India should only proceed towards its digitisation plan with caution and a plan for strong cyber-security.

Limitations to the analysis: The HIPAA Journal website mentions that the total number of breaches reported may change throughout the process of analysing how the data was compromised. They also state that “many HIPAA-regulated entities report data breaches using a placeholder of 500 records, and then submit an amendment, so the final totals may not be reflected in this report.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also read: 

• Life Insurance Co. Wants Access To Health Data Under The Ayushman Bharat Digital Mission
• Summary: New US Bill Obliges FDA To Release Up-To-Date Cybersecurity Guidelines For Medical Devices
• Cabinet Clears Rs 1,600 Crores For ABDM As PM Modi Urges Private Sector Participation
• What The ‘My Body, My Data Act’ Reveals About Abortion Surveillance And Health Data Protection In The US