Protenus, an organisation which aims to help healthcare organisations protect private patient data, regularly releases “Healthcare Breach Barometer” reports which compile their intelligence on healthcare data breaches. Protenus reports that 37 breaches of protected health information (PHI) occurred in January 2018. Furthermore, at least 473,807 patient records were exposed or stolen, although the number of individuals affected by 11 of the 37 breaches is not yet known. It is possible that more than 500,000 records may have been stolen.
According to the report, those that actually work in the healthcare industry-so called “insiders”-are the biggest risks for healthcare organisations when it comes to PHI being compromised. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders.
Although insiders cause the most amount of breaches, these are all on a relatively small scale-Protenus shows that just 1% of all records breached. Insiders compromised at least 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. Of these, 7 incidents were attributed to insider error and the data accidentally being exposed to unauthorised individuals. The other five were due to the insider accessing the information with malicious intent and for personal gain.
Protenus includes a number of case studies in their report. In one, it was discovered that a nurse accessed the health information of 1,309 patients without authorisation. This breach occurred over a period of 15 months without anybody noticing the repeated violation. If the healthcare organisation had technology in place to monitor for inappropriate access, the privacy of hundreds of patients would not have been violated.
Despite cybersecurity being at the forefront of many people’s minds when thinking about data protecting, hacking/IT incidents were only the second most common cause of breaches. There were 11 hacking/IT incidents reported by healthcare organisations in January. However, unlike insider breaches, these were all of a much larger scale. They accounted for 83% of all breached records in January-around 393,766 records. In particular, one single hacking incident involved 279,865 records-59% of the total of all breached records. The data for five of the breaches could not be obtained when the report was published.
One of the incidents on which we have no data was a ransomware attack on on Allscripts, an EHR company. This resulted in some of its applications being unavailable for several days.
Ransomware involves access being blocked to a computer system until a ransom is paid to the attacker. The attacks are a major problem in healthcare, with six of the 11 incidents involving ransomware or malware. Phishing – the subject of February’s cybersecurity letter from the HHS’ Office for Civil Rights – was involved in at least two breaches.
The loss or theft of electronic devices containing ePHI or physical records accounted for 22% of the breaches. Two incidents involving the loss of patient records impacted around 10,000 individuals and four out of the six theft incidents impacted nearly 51,000 individuals. The number of individuals affected by the other two theft incidents is unknown. These numbers show that the important of simple physical safeguards and the use of encryption on mobile electronic devices which store data cannot be understated.
The cause of 16% of January’s data breaches has not yet been disclosed. The types of breached entities followed a similar pattern to previous months, with healthcare providers accounting for the majority of breaches (84%). Only 5% of the breaches had some BA involvement and 3% affected health plans.
Protenus could only obtain information on the length of time it took to detect breaches was only obtained for 11 of the 37 incidents. The median time from the incident to detection was 34 days and the average was 252 days. The average distorted by an outlier; one incident took 1445 days to discover.
HIPAA’s Breach Notification Rule dictates that victims of breaches must be notified that their data is compromised no more than 60 days after the breach is discovered; Protenus found that the median time from discovery of a breach to reporting the incident was 59 days.The average was 96 days, much longer than that stipulated in the HIPAA Rules. Four healthcare organizations took longer than 60 days to report their breaches, with one taking more than 800 days.