The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal shows 2021 was a record year for healthcare industry data breaches, with 714 breaches of protected health information reported to OCR for 2021. The breach reports do not show the full extent to which personal and protected health information has been exposed or impermissibly disclosed. Some data breaches have occurred that have yet to be reported, and breaches occur that involve healthcare data but are not reflected in the breach portal as they occurred at entities that are not subject to the HIPAA breach reporting requirements.
This week has seen Protenus publish its 2022 Breach Barometer report, which includes data from the OCR breach portal, and also data breaches tracked by databreaches.net, with the report providing a more accurate picture of the extent to which healthcare data breaches have occurred than the OCR breach portal.
According to the report, there were 905 breaches of healthcare data in 2021, of which figures were obtained for 700 of those breaches. Across those 700 breaches, the records of 50,406,838 individuals were exposed or compromised. There was a 19% increase in healthcare data breaches compared to 2020 and a 24% increase in breached records.
There were several large data breaches in 2021 covered in the media and reported to OCR, with the largest of the year occurring at a Florida children’s health plan that saw the records of 3.5 million individuals exposed. The health plan had contracted with a vendor to maintain its website, but vulnerabilities on the website had not been addressed since 2013. Those vulnerabilities were ultimately exploited by hackers.
Hacking incidents once again dominated the breach reports, accounting for 75% of all healthcare data breaches and 87% of all breached records. 2021 was the 6th successive year when hacking incidents increased. 43,782,811 of the 50,406,838 breached records were due to hacking incidents.
There has been a downward trend in insider breaches since Protenus started publishing its Breach Barometer reports in 2016. In 2021, there were 111 insider breaches, which is a 26% reduction from 2020 and on a par with the 110 insider incidents in 2019. 12% of the year’s data breaches were insider incidents, involving either human error or insider wrongdoing. The widespread adoption of encryption has helped to reduce the number of theft and loss incidents, which were once leading causes of healthcare data breaches. In 2021 there were 32 theft incidents (110,6656 records) and 11 loss incidents (30,922 records).
Protenus tracks the time taken to discover and report breaches. It is good that the time to discover a breach has reduced by 30% year-over-year to 132 days; however, there has been an increase in the time taken to report data breaches. In 2020, the average time to report a breach was 85 days after it was discovered, which increased to 118 days in 2021 with a median time of 62 days. The HIPAA Breach Notification Rule requires data breaches to be reported within 60 days of discovery. HIPAA-regulated entities that fail to report breaches within that time frame are risking a fine for non-compliance.
The report also shows an increase in business associate data breaches, which in 2021 rose slightly and are now occurring at almost twice the frequency of 2019.