In the first quarter of 2018, 77 healthcare data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Over one million individuals-ranging from patients to healthcare plan members-are thought to be affected by the breaches. This is nearly twice the figure of those affected by breaches reported in the closing quarter of 2017. The official figures stand at 1,073,766 individuals who had their data comprised in early 2018 in comparison to just 520,141 in late 2017.
In spite of the huge increase in the number of individuals affected, there was in fact a 10.5% fall in the number of data breaches reported between Q4 2017 and Q1 2018. However, the number of people affected by each breach increased by a staggering 130.57% on average.
In Q4 2017, the mean breach consisted of 6,048 healthcare records being compromised.In contrast, Q1 2018, the mean breach size was 13,945 records. In addition to the mean breach size increasing, the median also rose by 15.37%; from 1,666 records in Q4 2017 to 1,922 in Q1 2018.
Month-by-Month Healthcare Data Breaches in Q1, 2018
January was the worst month in Q1, 2018 in terms of the number of individuals affected; 433,149. Although January actually saw fewer breaches than the average month in 2017-only 22 over the entire month in comparison to nearly one a day in 2017-it also saw the largest breach of the period. A staggering 280,000 records were stolen in one incident, making January the worst month in terms of the number of individuals affected. February saw 308,780 individuals have their private healthcare information (PHI) stolen, with March coming in slightly higher at 331,837. Despite both February and March having fewer records stolen overall, the number of breaches occurring increased, with 25 and 30 breaches reported respectively.
Main Causes of Healthcare Data Breaches in Q1, 2018
There are a wide variety of ways in which breaches occur in the healthcare industry. However, this industry is unique as it is in fact healthcare professionals and industry workers who cause most of the breaches; in most other industries, hacking/IT incidents dominate the breach reports. Unauthorized access and disclosure incidents, loss of physical records and devices containing ePHI, and improper disposal incidents accounted for 59.74% of the 77 breaches reported in Q1. These incidents occurred at the hands of those working in the healthcare industry, either accidentally or with malicious intent.
There were 35 incidents of unauthorized access/disclosures reported in Q1 2018, making this the most common cause of breaches. There were 15 breaches involving the loss or theft of electronic devices containing ePHI, all of which could have been prevented had encryption been used. Hacking resulted in 21 breaches of PHI, but these incidents often saw huge amounts of data being compromised. Improper disposal of data only caused 4 breaches in Q1 2018.
Despite unauthorised access/disclosure being the leading cause of breaches, it is only second to hacking/IT incidents when it comes to the number of files compromised. An astonishing 610,839 healthcare records were exposed due to hacking/IT incidents, in comparison to only 384,123 due to unauthorised hacking/disclosure. Around 65,471 files were breached due to loss/theft, and only 13,333 were exposed due to improper disposal. This meant that more files were compromised due to hacking/IT incidents than all of the other categories combined.
Location of Breached PHI in Q1, 2018
Both physical and technical safeguards must be in place to ensure the integrity of PHI, although most security teams focus on the latter. Physical records, including paper and films, were the top location of breached PHI in Q1, 2018. This follows the trend seen in 2017. Email was the second most common location of compromised PHI in Q1, 2018. Emails may be compromised due to phishing attempts, social engineering, or hacking.
Of the 77 breaches in Q1, 2018, the vast majority were through the healthcare providers having their patient data compromised. Only 14 breaches-18%-were through health plans, and just 2 breaches occurred through business associates.
Healthcare Data Breaches by State
In Q1, healthcare organisations based in 35 states reported breaches of more than 500 records. The worst affected state was California with 11 reported breaches, followed by Massachusetts with 8 security incidents.
There were four security incidents in both Missouri and New York, and three breaches reported by healthcare organisations based in Florida, Illinois, Maryland, Mississippi, Tennessee, and Wisconsin.
Healthcare organisations based in Alabama, Arkansas, Kentucky, Rhode Island, Texas, and Wyoming reported two breaches.
There was one breach experienced in Colorado, Connecticut, District of Columbia, Georgia, Iowa, Maine, Michigan, Minnesota, North Carolina, New Jersey, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, Virginia, Washington and West Virginia.