Protenus-an organisation dedicated to patient privacy monitoring of electronic health records-has released its Breach Barometer report. The report shows there was a significant increase in healthcare data breaches in September in comparison to previous months. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and security incidents tracked by databreaches.net. The latter have yet to appear on the OCR ‘Wall of Shame.’
In total, Protenus/databreaches.net tracked 46 healthcare data breaches in September. While the total number of breach victims has not been confirmed for all incidents, at least 499,144 healthcare records are known to have been exposed or stolen. The number of records exposed or stolen in four of the breaches which they investigated has yet to be disclosed.
The high number of incidents makes September the second worst month of 2017 for healthcare industry data breaches. With 52 data breaches were reported, only June was worse. In August, 33 data breaches were reported by healthcare organizations.
The report shows that the worst incident of the month was due to a ransomware attack. This attack resulted in the PHI of nearly 128,000 individuals being made inaccessible. An investigation is still underway into the cause of the attack, and it is not yet known if those records were accessed or stolen.
The Protenus report showed that the main cause of healthcare data breaches in September were hacking (50%). The hacking total includes extortion attempts by TheDarkOverlord hacking group, ransomware incidents, and malware attacks. Hacking incidents accounted for 80% of breached records for the month – 401,741 records – although figures for 4 of the incidents have not yet been disclosed, so this number could increase. The hacking incidents in September included one confirmed ransomware incident, eight extortion attempts, and seven phishing attacks.
The second most common cause of healthcare data breaches in September was “insiders” (32.6%); these are individuals who work for the healthcare organisation but violate HIPAA in some way. The 15 insider incidents resulted in the exposure of 73,926 records. Those incidents included six insider errors and eight instances of insider wrong doing. Four theft incidents were reported which impacted 17,295 patients.
The breaches occurred at 31 healthcare providers, 6 health plans, 6 business associates of HIPAA-covered entities, and 3 schools. California the worst affected state, with a total of 5 incidents.
While most healthcare organizations discovered their data breaches within 6 weeks – the medial time for discovery was 38 days – it took PeaceHealth provider nearly six years to discover that one of its employees had been improperly accessing medical records.
According to HIPAA’s Breach Notification rule, healthcare organizations are required to report their breaches within 60 days of their discovery. Most healthcare organisations adhere to this requirement, although there were two exceptions. One of these healthcare organization took 249 days to report its breach, well outside the 60-day limit, and therefore are at risk of a significant HIPAA violation penalty.