HHS: More than 2M patients affected by breaches reported in October

  • The knowledge comes in the wake of recent reports that cybercriminals use industry-standard methods of encryption to enact attacks that circumvent detection.

  • This past week the U.S. Department of Health and Human Services released a snapshot outlining abuses reported in October to the Office of Civil Rights.

In total, of the 58 recorded breaches, more than 2 million people had their data exposed, although it is likely that several cases affected the same patients.

It should be noted that the Secretary must by statute, post violations of unsecured protected health data involving 500 or more persons, meaning violations affecting less than were not listed.

Why does it matter?

Slightly more than a third of the violations recorded in October took place via email, according to HHS, and about 40 percent took place over a network server.

Three of the violations occurred inside an electronic medical record, including a Mayo Clinic incident involving a now-fired employee accessing potentially sensitive images improperly.

Although the violations were all recorded in October, not all of them took place last month. According to suits brought against the firm, the largest violation, affecting more than 800,000 patients of Luxottica of America Inc., which operates vision care facilities, appears to have occurred in August.

The HHS list did not provide further information about each infringement. Nonetheless, a 2020 State of Encrypted Attacks study released last week by the Zscaler ThreatLabZ research team found that cyber criminals are using industry-standard encryption strategies, combined with malware, to enact attacks that circumvent detection.

“Sophisticated attack chains have been developed by cybercriminals that start with an innocent-looking phishing email containing an exploit or secret malware. If an unaware user clicks, the attack moves into the installation process of the malware, and eventually to the exfiltration of valuable corporate data,” authors wrote the paper.

About the record

Juta Gurinaviciute, chief technical officer at NordVPN Teams, said in a statement, "The implications [of a cyberattack] may be serious. If an attack occurs in the middle of a surgery, whatever devices are being used might go down, forcing medical personnel to fall back on manual methods."

Computers are often MRI machines, ventilators, and some kinds of microscopes. These computers come with software that the developers have to help, just like our laptops," Gurinaviciute said As the machines get old and obsolete, the people who built them will stop supporting them. That means it can render old software vulnerable to attacks. Read more from source