Extent of Insider Data Breaches Highlighted in November Barometer Report

The November 2017 healthcare Breach Barometer Report has been published by Protenus. Following an unusually  particularly bad September, healthcare data breach incidents fell to more normal levels, with 37 breaches recorded during the month of October.

The monthly summary of healthcare data breaches compiles incidents made known to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents published using media tracked by databreaches.net.

Those breach incidents include several breaches that have yet to be made known to OCR, including a major breach that has affected at least 150,000 people – the actual number of individuals affected will not be known until the investigation has been finished. The numbers of individuals affected by 8 breaches have not yet been made public.

Including the 150,000 people affected by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly overall total since May 2017.

The healthcare sector has historically recorded a larger than average number of data breaches due to internal members of staff, although over the past few months hacking has been the leading cause of breaches. That trend has carried on in October. Hacking was behind 35.1% of all breach incidents, insider incidents made up 29.7% of the total, with the loss and theft of devices accounting for 16.2% of incidents. The causes of the other 18.9% of breaches is not yet known.

While hacking incidents usually lead to in more records being exposed or stolen, in October insider mistakes exposed more healthcare information. 65% of all breached records involved insider mistakes.

157,737 people had their PHI exposed due to insider mistakes and insider wrongdoing, while hacks lead to the theft of 56,837 peoples’ PHI. Protenus said that three incidents were due to the hacking group TheDarkOverlord.

Overall, there were 11 breaches that were due to insiders – five  due to mistakes and six due to insider wrongdoing. The biggest breach involving insider mistakes was the failure to secure an AWS S3 bucket, resulting in the exposure of 316,363 PDF reports – containing the PHI of at least 150,000 people: One of two such incidents reported in October that involved unsecured AWS S3 buckets.

Another insider incident involved the sending of flyers to people where PHI was visible through the envelope – a major incident that potentially caused considerable damage, as the information viewable referred to patients’ HIV status.

The mean time taken from breach to discovery was 448 days in October. The median time was 304 days, showing healthcare groups are still struggling to identify data breaches rapidly.

Two HIPAA-covered bodies reported breaches to OCR well outside the 60-day deadline stated in the HIPAA Breach Notification Rule. One of those incidents was reported three years after the breach was identified. In that instance, the breach involved a nurse who was taking patient records and using the data to file false tax returns. The median time from identification to reporting was 59 days.

Healthcare grups reported 29 incidents, there were 7 incidents reported by health plans, one breach was reported by a school. Four hacking incidents were known to involve a business associate.

The worst hit states in October were California and Florida with four incidents apiece, followed by Texas and New York.