The most recent release of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that in total, at least 473,807 patient records were accessed or stolen in January, although the number of people affected by 11 of the 37 breaches is not yet clear. The actual figure is likely to be much higher, possibly taking the final total to in excess of half a million records.
The report shows insiders are still causing issues problems for healthcare groups. Insiders were the single biggest factor causing of healthcare data violations in January. Out of the 37 healthcare data breaches registered in January 12 were caused by insiders – 32% of all data breaches.
While insiders were the main cause of violations, the incidents affected a relatively low number of peoples – just 1% of all records violated. Insiders exposed 6,805 patient records, although figures could only be found for 8 of the 12 breaches. 7 incidents were attributed to insider mistakes and five were due to internal misconduct.
Protenus has drawn attention to one particular insider breach it experienced. A nurse was found to have accessed the health information of 1,309 patients without permission over a period of 15 months. If the healthcare group had technology in place to monitor for inappropriate access, the privacy of hundreds of patients would not have been breached.
The second largest cause of healthcare data violations in January were hacking/IT incidents. There were 11 hacking/IT incidents reported by healthcare groups in January – 30% of all breaches. In contrast to insider incidents, these were not minuscule breaches. They were responsible for 83% of all breached records in January. One single hacking incident impacted 279,865 records. That’s 59% of all violated records in the month.
Overall, 393,766 healthcare records were affected by hacks and other IT incidents. The final figure could be much higher as figures for five of those breaches have not been calculated. One of the incidents involving an unknown amount of records was the ransomware attack on the EHR company Allscripts, which lead to some of its applications being unavailable for many days. That incident could well be the largest breach of the month.
Ransomware remains a major issue in healthcare, with six of the 11 incidents involving ransomware or malware. Phishing – the subject of February’s cybersecurity letter from the HHS’ Office for Civil Rights – was involved in a minimum of two breaches.
The loss or theft of electronic devices storing ePHI or physical records made up 22% of the breaches. Two incidents involving the loss of patient histories affected 10,590 people and four out of the six theft incidents affected 50,929 individuals. The number of individuals impacted by the other two theft incidents is not clear still. The cause of 16% of January’s data breaches has not yet been released.
The types of breached bodies followed a similar pattern to previous months, with healthcare suppliers accounting for the most breaches (84%). 5% of the breaches had some BA involvement and 3% affected health plans. 8% affected other bodies.
Information on the amount of time it took to identify breaches was only obtained for 11 of the 37 incidents. The median time from the incident to the date of detection was 34 days and the average was 252 days. The average was impacted by one incident that took 1445 days to identify.
The median time duration from discovery of a breach to reporting the incident was 59 days; one day short of the 60-day absolute limit of the Breach Notification Rule. The average was 96 days. Four healthcare groups took more than 60 days to report their breaches, with one taking over 800 days.