The healthcare security breaches in Q4 of 2017 decreased by 13%. In Q3, there were 99 data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In Q4, 86 security breaches were reported, which is 13 incidents less than the previous quarter.
The number of healthcare security breaches reported per month in the last quarter is as follows: October – 27; November – 21; December – 38. It’s not only the number of breaches that declined but also the severity of breaches. In Q3, 8 data breaches impacted over 50,000 people. In Q4, the largest data breach impacted 47,000 persons.
In Q4, breached records had a steady increase each month from 71,377 breached records in October to 107,143 records in November to 341,621 records in December. However, monthly breached records for this quarter were all lower than any month in the past quarter. The total number of breached records for Q4 is 520,141.
Typically, the highest number of data breaches is associated to hacking/IT incidents. In Q4, 47% of security incidents were because of hacking and IT incidents. 27% were because of loss and theft incidents and 20% were due to unauthorized access and disclosures. As for the most number of exposed or stolen records, unauthorized access and disclosure incidents are the greatest. In Q4, 33 out of 86 reported healthcare security breaches were due to unauthorized access/disclosures, 29 were due to hacking/IT cases, 20 were due to loss or theft of PHI and ePHI and 4 incidents were due to improper disposal of PHI/ePHI.
There were also a significant number of breaches in Q4 – 21 incidents or 24.4% – that involved paper records/films. Other top causes of healthcare data breaches in Q4 are email/phishing attacks and network server attacks. In descending order of security breaches reported in Q4, healthcare providers come first, next are health plans, then business associates of HIPAA-covered entities.
Healthcare organizations from 35 states reported security breaches in Q4 2017. California topped the list with 7 incidents. Florida and Maryland reported 6 breaches each. New York had 5 breaches while Kentucky, Texas and Michigan had 4 breaches each. Colorado, New Jersey, Illinois and Pennsylvania had 3 incidents each.