Here’s a striking fact. So far this year, there have been 316 healthcare data security breaches reported to the federal government. This statistic includes incidents reported by health plans, healthcare providers and healthcare clearing houses.

And not surprisingly, 2018 is on track to be the worst year on record for healthcare data security incidents.

Beginning in October 2009, the Department of Health and Human Services’ Office for Civil Rights started compiling summaries of healthcare data security breaches. The online portal – where incidents are reported – excludes breaches of fewer than 500 records. Over the past nine years, the uptick in healthcare breaches has been steady. Between 2009 and 2015, there have been more than 2,000 reported breaches, all involving more than 500 records. 

A recent incident involving the federal government’s own healthcare insurance websites underscore the vulnerability of such information when proper controls aren’t used or the information isn’t properly secured.

As we have previously reported, the Centers for Medicare & Medicaid Services’ (CMS), the federal government’s top healthcare insurance agency, disclosed a hack last month that affected approximately 75,000 records.

Few details have been released about the CMS incident. In a written statement issued several weeks ago, the agency said that it “detected anomalous activity” on Oct. 13th and “took immediate steps to secure the system and consumer information.” At the time, it was unclear what type of information might have been compromised in the incident.

But in a letter sent last week to affected individuals, CMS said the compromised information was, in fact, potentially sensitive. The letter said the compromised data may have included names, dates of birth, partial Social Security Numbers, income information, tax filing status, immigration status, results of applications for healthcare coverage and other health-related information.

The incident affected only the Federally Facilitated Exchanges’ (FFE) Direct Enrollment pathway, which permits agents and brokers to help “consumers with applications for coverage in the FFE,” according to CMS.  It is the system used to enroll in healthcare plans via the insurance exchange established under the Affordable Care Act or Obamacare.

The federal government has a less than stellar track record when it comes to its own healthcare cybersecurity. Its “Healthcare.gov” website has been subject to multiple hacks and vulnerabilities. In 2016, a report from the General Accounting Office entitled “Actions Needed To Enhance Information Security and Privacy Controls,” the agency said that the website had experienced 316 data security incidents between October 2013 and March 2015. The GAO report identified vulnerabilities in the website’s technical controls including inconsistent application of security patches.

As we close in our year-end, we’ll continue to monitor the number of data security incidents in the healthcare sector and report on any trends that we observe. Stay tuned.