50m Healthcare Records Breached During 2021: Breach Barometer Report

Protenus has published its 2022 Breach Barometer Report which shows that there were over 50 million healthcare records exposed or compromised during 2021.

The report lists healthcare data breaches made known to regulators, including data breaches that have been covered by news outlets, incidents that have not been shared by the breached entity, and data breaches involving healthcare data at non-HIPAA-regulated groups. The data for the report was gathered by online publisher databreaches.net.

Protenus has been publishing yearly Breach Barometer reports since 2016, and the amount of healthcare data breaches has grown annually, with the amount of breached records growing every year since 2017. In 2021, it has been estimated that a minimum of 50,406,838 individuals were impacted by healthcare data breaches, a 24% growth from 2020. 905 incidents are listed in the report, which is a 19% rise since 2020.

The most significant healthcare data breach of the year took place at Florida Healthy Kids Corporation, a Tallahassee, FL-based children’s health plan. Security flaws in its web portal had not been mitigated by its business associate since 2013 and those flaws were targeted by hackers who obtained access to the sensitive data of 3,500,000 people individuals who applied for health insurance between 2013 and 2020.

Hacking incidents grew for the 6th successive year, with 678 data breaches – 75% of the year’s total amount of breaches- blamed on hacking incidents, which include malware, ransomware, phishing and email attacks.  Those cyberattacks lead to the PHI of 43,782,811 clients being infiltrated or stolen – 87% of all breached records in 2021.

Nick Culbertson, CEO of Protenus said: “The need for proactive patient privacy monitoring has never been greater. The threats we’re seeing today are much more intrusive than in years past and can come from multiple sources — a random employee snooping or a sophisticated cybersecurity hacker that gains access through an employee channel. Once a breach erodes patient trust in your organization, that’s extremely difficult to recover from.”

There has been a noticeable trend over the past six years that has resulted in the amount of internal incidents fall. There were 111 insider incidents in 2021, similar to the 110 incidents in 2019, which is a 26% drop from 2020. The growth in 2020 is thought to be linked to the COVID19 pandemic, with Protenus proposing that the 2020 growth was due to pandemic-related increase in insider curiosity or organizational detection of impropriety that has since subsided.

There were 32 theft-linked breaches including a minimum least 110,6656 records and 11 cases of lost or missing devices or paperwork including the records of at least 30,922 patients. 73 incidents could not be classified due to missing information.

Healthcare suppliers are still the worst impacted HIPAA-covered entity type, but business associate data breaches have grown to almost double the level of 2019. 75% of those incidents were connected to hacking, 12% were due to insider mistakes, and 1% were due to insider misdemeanours. Across those incidents, 20.986,509 records were accessed. Protenus says that the average number of records breached in business associate data breaches is more than any other HIPAA breach.

The time taken to spot a data breach dropped by 30% since 2020. The average length of time from the breach to the discovery is now 132 days; however, it is taking much longer for  groups to share data breaches than in 2020.