Share this article on:
Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen.
Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data breaches. The total number of breached records may be down year on year, but the total number of incidents has increased. 2016 has been the worst year for healthcare industry breaches since records first started being kept.
The Protenus 2016 healthcare data breach report includes data breaches that have already been reported to the Department of Health and Human Services’ Office for Civil Rights, in addition to those that have been disclosed to the media but not yet uploaded to the OCR breach portal.
In total, there were 27,314,647 individuals affected by healthcare data breaches in 2016, with detailed information available for 380 of the 450 incidents. More than one healthcare data breach was reported every single day, on average, in 2016.
Data breaches fluctuated throughout 2016, with no clear trend emerging. The worst months of the year – in terms of the number of records breached – were June and August. In June, 10,880,605 healthcare records were exposed or stolen. 9,096,515 records were breached in August.
The worst months of 2016 for reported data breaches were November (58 incidents) April (946 incidents) and August (45 incidents). January saw the fewest breaches with 21 incidents reported. January also saw the lowest number of healthcare records exposed, with 104,056 individuals impacted.
Million-record plus data breaches were relatively rare. The largest breach of the year – at Banner Health – saw 3.62 million records exposed.
The 2016 healthcare data breach report shows the majority of security breaches in 2016 involved insiders. Protenus classified insider breaches as those involving accidents caused by human error, data theft by healthcare workers, and snooping on medical records. 43% of the data breaches in 2016 involved insiders, compared to 26.8% of incidents which involved hacking, malware or ransomware.
There were 99 accidental data breaches and 91 breaches caused by insider wrongdoing. Breaches that were the result of insider wrongdoing tended to result in the theft of less data than accidental data breaches. Accidental data breaches exposed three times as many records, on average.
2016 saw an explosion in ransomware attacks with the healthcare industry heavily targeted. The healthcare data breach report indicates only 30 ransomware attacks were reported in 2016. The true figure may be considerably higher. Healthcare organizations are only required to report ransomware attacks if there was a reasonable probability that ePHI was compromised. Covered entities also have up to 60 days to report healthcare data breaches, so a final total for the year will not be available until March 1, 2017. 2016 also saw a rise in other extortion attempts, with hackers gaining access to healthcare data and demanding ransoms not to publish the information.
Hacking may not have been the biggest cause of healthcare data breaches in 2016, but hackers certainly obtained the most records. 120 hacking incidents were included in the report, although the number of records stolen in those attacks was only known for 99 incidents. Even so, the total number of records obtained by hackers was 87% of the annual total – 23,695,069 records.
Healthcare providers were the worst hit in 2016 accounting for 80% of the total breach count. Health plans were second with 10% of attacks, followed by business associate breaches which accounted for 6.3% of the total. 4% of breaches affected other entities.
The report shows healthcare organizations are slow to detect breaches. The report indicates the average time to discover data breaches was 233 days, although insider breaches took considerably longer. Cases of insider wrongdoing took an average of 607 days to discover that ePHI had been breached. Protenus reports the average time from the breach to reporting the incident to HHS was 344 days.