September 2017 saw a huge increase in the amount of healthcare data breaches, according to the recently released Breach Barometer report from Protenus which shows there was a serious rise increase. The Protenus report examines data violations made known to the Department of Health and Human Services’ Office for Civil Rights (OCR) and attacks on privacy recorded by databreaches.net.
Overall, Protenus/databreaches.net recorded 46 healthcare data violations during in September. While the total number of people affected by the violatinos has not been confirmed, at least 499,144 healthcare records are thought to have been exposed or stolen. The overall amount of records exposed or obtained in four of the month’s breaches has yet to be released.
This significant increase in incidents results in September being the second worst month of 2017 for healthcare industry data breaches. Only June recorded higher figures, when 52 data breaches were reported to the relvant authorities.
The Protenus report confirms the most serious attack during September was a ransomware violation that saw the records of 128,000 individuals made inaccessible. It has not yet been made public if those records were accessed or stolen.
The main factors that resulted in healthcare data breaches during September were hacking (50%) and insider breaches (32.6%). The hacking total includes extortion attacks by TheDarkOverlord hacking group, ransomware attacks, and malware breaches. Hacking incidents made up 80% of breached records during September – 401,741 records – although figures for four of the attacks have not yet been made public. The hacking incidents during the month included one confirmed ransomware attacks, eight extortion dangers and seven phishing atempts.
The 15 insider incidents lead to the release of 73,926 private records. Those incidents included six insider mistakes and eight occurrences of insider wrong doing. Four theft incidents were submitted to the OCR which affected 17,295 patients.
The breaches happened at 31 healthcare providers, 6 health plans, 6 business associates of HIPAA-covered bodies, and 3 schools, with California the worst hit with 5 incidents reported.
While most healthcare groups identified discovered their data breaches within six weeks of them occurring – the average time for identification was 38 days – it took one healthcare provider 2108 days to discover that one of its staff had been improperly viewing medical records.
Most healthcare groups reported their violations inside the HIPAA Breach Notification Rule deadline of 60 days, although there were two exceptions to this. One healthcare group took 249 days to file its violation, risking incurring a significant HIPAA violation penalty.