Healthcare Data Breach Trends Revealed by Protenus

The Breach Barometer mid year reviews has been released by Protenus, in conjunction with Databreaches.net. This report covers all data privacy breaches reported in health care over the past 6 months. It provides valuable insights into 2017 data breach trends for the industry.

This is a comprehensive review of healthcare data breaches, including not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting methods, but also press reports of all incidents and public findings issued. All breaches are independently confirmed by databreaches.net before being included in the report, . The Breach Barometer reports investigate the main causes of data breaches reported by healthcare organizations, health plans and their business partners.

Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review in a webinar on Wednesday,

He said that from January and June 2017 there have been 233 reported data breaches. These breaches have affected 3,159,236 patients. The largest of these breaches in the first half of the year led to the theft of 697,800 records and was caused by a ‘rogue insider’ – one of 96 incidents involving insiders.

Out of those 96 incidents of a breach, 57 were due to insider mistake or error – 423,000 records – and 36 incidents due to insider wrongdoing –743,665 records. The remaining three breaches could not be classified in a specific section.

These insider incidents area are always likely to be far higher than the figures in the Breach Barometer report.

Mr Dissent explained that many incidents are not being made public or reported to HHS. One of the best examples being incorrectly-configured MongoDB databases. He explained that many health organizations have not reported that protected information has been exposed online, even though security researchers have discovered data could be accessed, without authentication, via the online means. When these incidents are officially reported, they are often reported to HHS as hacking incidents, even though the root cause is human mistake.

The first half of 2017 saw 75 hacking incidents and 29 ransomware incidents made public. As was explained, ransomware cases are similarly under reported, even though OCR has made it clear that ransomware attacks are officially reportable breaches. The true figure is likely to be much higher than that reported.

In the first six months of the year 41% of incidents caused by insiders, 32% due to online hacking, 18% due to loss/theft of records and devices and the cause of 9% of the breaches remains unknown.

Internet hacking may be the second largest cause of privacy breaches, but hacking has resulted in the exposure/theft of the most records. 1,684,904 records were exposed/stolen as a result of hacking, 1,166,674 records were exposed/stolen by insiders, 112,302 records exposed due to theft/loss and 178,420 records exposed in incidents with unidentifiable causes.

In 2016, roughly 2 million patients were affected by incidents caused by insiders. So far this year, 1.17 million individuals have already been impacted by these cases. Hacking incidents are also on the rise. Last year there were 120 confirmed hacking incidents for the 12 month period. This year there have already been 75 reported incidents of these cases.

In June this year, 52 healthcare data breaches were reported, the highest total for any month of the year to date by some distance. The second highest monthly breach total was 39 incidents. June also saw the third highest number of individuals impacted by the privacy breaches, with 729,930 records confirmed as exposed or stolen in the report.

Despite these figures there is some good news however. The time taken to report breaches to OCR has improved over the first half of the year. The mean time to report breaches is 54.5 days and the median 57 days. HIPAA allows 60 days to report data breaches and notify affected individuals. In June, both the mean and the median were under the maximum time frame allowed by the HIPAA Breach Notification Rule.